We currently have an Active Directory (AD) group synchronized with Azure Active Directory (AAD), encompassing all the machines within our system. Our operations team is assigned a custom scope tag for role-based access control (RBAC) purposes. However, over the past month, we've encountered an issue where newly imaged machines are being included in both the AD and AAD groups, but they are not inheriting our designated custom scope tag. Instead, these machines are automatically associated with the default scope tag.
The criteria for assigning the custom scope tag to a machine involves its membership in the AAD group. While visually verifying the machine's membership, I can confirm its presence in both the AD and AAD groups. This situation has raised the question of whether this discrepancy is a result of a bug within the system.