Mail enabled security groups are syncing in Azure AD but we have few groups that doesn't sync an updates like group membership addition and removal in Azure AD.  I checked all the attributes they are all intact. We don't have group filtering.  Group member addition seems related to nested group because if add a user account it will sync. Nested group is working previously when we have AD Connect 1.5 but we upgraded to 2.0.28. Other notable change is that we use custom AD Connector account and not the default MSO_XXX account.