Just a quick post.
I notice that one of my Entra ID app’s was not able to read the groups of the user logging in.
I check the API permissions, but that was not it.
I had to change he groupMembershipClaims value in the Manifest:
PowerShell command which I missed:
Set-AzureADApplication -ObjectId $app.ObjectId -GroupMembershipClaims "SecurityGroup"