Why does my ADLS2 ACL grant access to individuals but not members of groups!

I'm trying to implement Access Control Lists on ADLS2 storage. First time trying to use fine-grained ACLs rather than RBAC over containers so I'm probably just doing something stupid - hoping someone can help!

I have someone, let's call him Fred, who is a member of the Data-Analysts AAD group. I have a file in the root of a container. Fred and Data-Analysts group have no RBAC permissions over the container - either direct or inherited - so any access they get is coming through ACL.

I grant Fred --X on the container and R-X on the file in the root of the container. 

Fred can access the file - great!

But assigning ACLs to individuals is bad practice - so now I remove Fred's permissions and instead grant same permissions on container (--X) and file (R-X) to Data-Analysts AAD group - of which Fred is a member.

But now Fred can't access the file. Which is a surprise to me. Does anyone have any thoughts as to why this might happen? I don't!

Thanks in advance for any suggestions.

- Matt