Entra CBA Preview Bug: Issuer Scoping Policy fails group claim (AADSTS500191)

Hi — great job isolating this. Your control test (GA tenant-wide trust works immediately, Preview issuer scoping group targeting fails with AADSTS500191) strongly suggests the certificates/CRL/bindings are fine and the issue is isolated to the Preview group-targeting path in “Certificate issuer scoping policy (Preview)”.

I can’t claim I’ve reproduced this exact Preview behavior yet, but the symptoms line up with a fail-closed evaluation issue early in the CBA flow.

A GA alternative that preserves your objective (tight scope without depending on Preview group scoping):

• Keep the CA trust tenant-wide (GA), but enforce “only this cert can authenticate this user” using high-affinity/strong binding (SKI / public key hash → CertificateUserIDs), which prevents certificate reuse across accounts.
• Further scope where that cert can be used via Conditional Access Authentication Strength using advanced CBA options (restrict by certificate Issuer and/or Policy OID) per app/resource.

This keeps the architecture cloud-native and outage-safe (no Intune/MDM dependency) while avoiding Preview issuer scoping group evaluation.

References (for the GA pattern and controls):

• CBA overview: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-certificate-based-authentication
• How to configure CBA: https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-certificate-based-authentication
• CBA technical deep dive: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-certificate-based-authentication-technical-deep-dive
• CBA enhancements (mentions affinity/high-affinity bindings + advanced CA options): Enhancements to Microsoft Entra certificate-based authentication | Microsoft Community Hub 
• Advanced CBA options in Conditional Access / Authentication Strength (Issuer / Policy OID): Introducing more granular certificate-based authentication configuration in Conditional Access | Microsoft Community Hub 
• Community deep-dive on affinity binding (helpful practical notes): Achieve higher security with certificate bindings - How it works! | Microsoft Community Hub

If you’re able to share sanitized sign-in log details around the failure (Correlation ID + timestamp + client/platform), that can help confirm whether the Preview scoping engine is failing before user/group resolution completes. Of course, perhaps opening a Microsoft support case for further assistance? I'd be keen to hear their thoughts 😉