I'm trying to scope and limit policies to group memberships derived from AzureAD (via Cloud Identity Provider). I can query for directory users and get "true" for membership, and I can search for the group and add it to the Limitations section of the policy. But when I try to test the policy on a Mac that was enrolled by a user in that group, the policy isn't available; the Mac doesn't even come up in the policy logs. If I try this with a regular LDAP connection, the logic works. Is this a bug of some kind or is there some limitation in place? Or perhaps I missed a step to linking the local/enrollment user and the AzureAD groups that the user is in?
The LDAP limitations in scoping require the local macOS username to match a directory username. My guess is to check the attribute mapping for the username field in the LDAP Server setting vs. the Cloud Identity Provier setting in Jamf Pro. Did you also try whether a login to Self Service made the policy show up / the Mac fall into the scope?