Afternoon,
Hoping someone can help,
I am setting up a PoC for Intune and trying to integrate our Cisco ISE to perform EAP-TLS user Authentication which is working. Now followed the artificial here to https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html to configure Authorization based on Azure group membership which we are having issues with.
The REST ROPC is configured and connection test is successful and Azure groups are available. However from the live logs external groups are not being detected.
I can see that they are being queried
And the current username is detected from the certificate 
Regards
The latest patch for 3.2 is patch 3, so it's not possible to be running 3.2 patch 7.
I tested a similar scenario (using 3.2 p2) in which the User's UPN is my on-prem domain instead of my .onmicrosoft.com domain and it worked as expected for matching the User's group membership queried via REST ID in the AuthZ Policy.
To be clear, this flow in ISE 3.2 uses REST ID, not ROPC. As such, the 'Username Suffix' configured in the REST ID Store is not relevant to this flow. In my configuration, that suffix uses my .onmicrosoft.com domain suffix but the flow still worked with my on-prem domain suffix.
If you are not seeing any attributes for 'ExternalGroups' in the Live Log details, you may need to verify the Microsoft Graph API permissions are configured correctly. You should see the Entra Group ID(s) in this field as per this example from my testing.
