All groups should sync unless they are the following:
Why not create an Azure security group instead and add the required members from each domain then assign that to the Enterprise App?
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Intro
We have two domains (Domain1 and Domain2) that have a trust in both directions, and our AzureAD sync tool syncs various OUs from each domain. Including the Groups OU and Users OU for each.
There is an Enterprise App which uses a synced group (GroupA, synced from Domain1 - Security and has a Domain Local scope) to control SSO access.
Problem
GroupA contains users from both Domain1 and Domain2.
The Sync tool syncs GroupA to AzureAD, but only with members from Domain1, and not the members from Domain2.
Troubleshooting
I have checked the AAD Sync tool and the users from Domain1 and Domain2 are being synced, so they are known to AzureAD. So to me, should be added to GroupA, but aren't.
I have struggled to find anything like this online. The only other thing I can think of is GroupA's scope is set to Domain Local, rather than Universal.
Potential Solution
Create a second group in Domain2 with the Domain2 users in and let that Sync.
Any ideas?
All groups should sync unless they are the following:
Why not create an Azure security group instead and add the required members from each domain then assign that to the Enterprise App?