Thank you for your time on the call yesterday.
As per our troubleshooting that we did in our call, we found that users are part of AAD. But these users are not part of any of the groups. We found that these users were created directly in AAD.
We moved one of the users from on-premise to a different OU and made that OU as part of sync scope in AD connect. We enabled the sync for tenant and initiated sync. We found that this selected user got merged successfully with AAD user object and also got added to the required groups as it was in on-premises.
As discussed, you have to move all the users to one OU in on-premises and make that OU as part of sync scope in AD connect. Once you run the initial sync in AD connect, all users from on-premises OU will get merged with AAD user objects.
Also, all these users will get added to required groups, same as there groups membership in on-premises.
You can use below command to initiate sync in AD connect,
Start-ADSyncSyncCycle -PolicyType Initial
We also discussed another approach to fix this. You can leave on-premises environment aside and you can make all user objects in AAD as part of groups by manually adding them to their specific groups directly in AAD.
Let us know if you have any further questions on this.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.