Entra CBA Preview Bug: Issuer Scoping Policy fails group claim (AADSTS500191)

alejlw​ I did some repro testing on this and wanted to sanity‑check a few things with you.

In my tenant, Certificate issuer scoping (Preview) works as expected when group evaluation succeeds:

• User not in target group → blocked with AADSTS500189 (not authorized by CA scoping rules)
• User added to target group → sign‑in succeeds immediately
• Repeated add/remove cycles and even changing target groups behaved consistently

I was only able to briefly surface AADSTS500191 during a narrow window after removing/re‑adding a user when the CA was registered in the legacy Certificate authorities (classic) store, and deleting/recreating the scoping policy cleared it. After further testing, that state stopped reproducing reliably.

A couple of questions that might help narrow this down on your side:

1. Do you ever see AADSTS500189, or does it jump straight to AADSTS500191 every time?
2. Which CA store is your issuing CA registered in — Public key infrastructure (PKI-based) or Certificate authorities (classic)?
3. Is CBA method availability scoped the same way as issuer scoping, or is one tenant‑wide and the other group‑scoped?

Since GA tenant‑wide trust works for you, I agree the PKI and bindings look solid — this feels like an edge case in how the Preview engine is resolving the issuer during early evaluation. Curious what you’re seeing on those points.