I manage a self-contained Forest/Domain in Geo1 which has a two way AD trust with our parent company in Geo2. The Geo1 domain sits in the Geo2 owned and maintained Azure/M365 tenant. SSPR is selectively enabled in Azure by way of Domain Local AD group into which all required AD groups from other business units within the organisation are nested and this works fine for users in Geo1 (all users in Geo1 are in domains which are in the same AD forest as the parent organisation).
A Domain Global AD group from Geo2 has also been nested in Geo1's Domain Local Group so, in theory, SSPR should be available to Geo2 users but it isn't working (we see a message on the SSPR page stating that SSPR 'isn't available for this user').
The Geo2 forest syncs to the Geo1 managed Azure AD via AAD connectors located in Geo1's data centres. I can see our users in the Azure Portal and have access to all permitted M365 apps such as Exchange Online, SharePoint et al. All users are have either E3 or E5 licenses.
Can anyone suggest a reason why SSPR isn't working for the Geo1 users or maybe point me to any documentation which might deal with this particular scenario?