There are two likely reasons whenever group mapping is not working on a SAML SSO connection in Azure, and the users are not getting the roles that were mapped:
1. Existing users:
The roles will not be changed for existing users in Frontegg.
The user will have the same roles as they did before if they existed before the mapping was set.
2. Unexpected or missing groups attribute:
Frontegg expects the attribute name to be "groups".
Azure will sometimes set the attribute name like so -
If that is the case, please change it to -
Here is how you create the claim if you do not have it already: