I've got an environment looking to start exclusively using Entra groups for management. They will continue to keep a hybrid joined VDA fleet. It appears it's not supported to use Entra AD groups to limit visibility of some apps, but I can use Entra groups to assign delivery groups. Does anyone know if theres a way to get around this? Otherwise we will have to do some rebuilding of all delivery group structure to try and limit visibility as needed. Any concerns assigning to Entra groups at the delivery group level rather than traditional AD groups given the hybrid environment?

Don’t ask me why, assigning Entra group to a published app isn’t working, as you wrote. But creating app groups, assigning apps to that app group and assign Entra group to the app group is working fine. That’s my workaround for that at customers.

@Terry R are the Entra ID group nested at all? The one goofy thing with that I have run into a few times is with nested group scenario for published apps as then a flag had to be enabled on the back end for your tenant. I can't remember all the details but involved a DSAuthAzureAdNestedGroups flag. But again, I'm pretty sure it was nested groups