As you may already know you can use security groups to automatically assign licenses to users member of the groups.
Keeping in mind this feature is still in preview (so basically beta), there could be some glitch and here is one…
So you setup a universal security group synced to Azure AD and then use Azure AD Group Based Licensing to automatically and dynamically grant the license to the group members.
So far, so good.
The glitch comes when you decide you do not want to use it anymore (the service or the feature) and you delete (or un sync) the group on your AD.
After the next directory synchronization cycle, you will immediately receive a notification error like this one – the reason is clearly not helpful
“The cause of the error is not clear. This operation will be retried during the next synchronization. If the issue persists, contact Technical Support.”
And then when you look on the Azure AD Console you got this error during the export to Azure AD – WorkflowException which is also not helpful to troubleshoot the issue
“The cause of the error is not clear. This operation will be retried during the next synchronization. If the issue persists, contact Technical Support.
Tracking Id: e44a2bae-2f82-473e-acc7-fe9bd1941faf
ExtraErrorDetails:
[{"Key":"ObjectId","Value":["23b117f7-4fb5-49b5-ad3b-610fa4c3ea8a"]}]”
The thing is it was working perfectly fine so far, especially for this group, and there was no error previously when you deleted a group.
So after some digging it appears the security group is not removed automatically (as for any other workloads, including on-premises) from the Group Based Licensing.
The solution is then to identify the product which was configured to use the group for the licensing and remove it from there.