Azure-AD app-role inheritance to AD-synced security-groups not working

Hi everybody!

To explain the title: I have created an Enterprise-App in Azure AD, wich is used to log in with your Microsoft-user to a wordpress-website using SAML SSO.

The Microsoft-users are synced form an on-premise AD using Azure AD Connect.

For the app to be applied, I created two app-roles with attributes from wordpress-website, one role as "Subscribers", only with the permission to read and one role as "Writers", obviously with writing permission.

Now for my problem: I have over 500 possible users to put into the groups, with far more users working in the company. The users are already in multiple security-groups in the local AD, wich also get synced to AAD. I created two new groups in AD and assigned some test-users to them; so far it works fine.

Now I dont want to assign every single user, so I decided to assgin the already existing groups from AD to the new groups i created. But then the users do not receive the permission from the app-roles I created, even though in Azure AD I can clearly see, that the groups are assigned correctly but inheritance seems not to work.

Now permisisons and inheritance is not my primary skill so i hope someone can help me or clarify to me why it is not working or what options I should change to make it work.

I hope for the best, if you need further information ask me please.

Justus E.