Netskope IDP - APP enterprise Azure AD - Users/Groups

Hello community I hope everything is going great.

I would like to tell you the following, let's see if someone out there also happened to you.

As always first details of the environment:

Tenant with IDP Azure AD configured via enterprise APP for SAML.
At the level of Assignments / Assign users and groups a group was assigned. Azure AD license level is available.

My question is the following:

It is correctly integrated at Forward Proxy IDP Azure AD level, it operates correctly but at the time of testing.

The user XXXXXTes01@test.com.mx when validating his credentials throws the microsoft error that he does not have access.
The manual assignment was made to the user in particular and it worked but this is not the expected sharing, since the user is part of the group:

NestkopeTest group: XXXXXTes01@test.com.mx and assigned at the Enterprise APP level should not have asked me for that user. Same group and is synchronized by SCIM via the other Enterprise APP and operates correctly. 

Please someone can tell me some tips because if it was or is within the group is an expected behavior that the IDP validate read the group, old that this user belongs to the group assigned in the APP NestkopeTest: XXXXXTes01@test.com.mx and work but not and had to apply workaround asinando / setting the user directly and works smoothly enroll via IDP and test the Tenant's own IDP. 

Please can you give me some tips, if there are limitations, if this process should be done by hand that is what you recommend validate adjust, etc.. 

Thank you very much for your time, collaboration, advice, tips, good vibes.

Best regards