Non-SSO users in BMS who also have Azure AD guest accounts keep losing their security roles. Why?
This happens because users belong to multiple groups, and they have multiple mappings on BMS side. They should check the Mapping Priority Order to get the correct mapping applied. The multiple groups mean that only one security role will be applied. The remaining roles will be dropped.
When employees are not mapped to any groups, and the sync is turned on, the user's existing security roles is dropped, leaving the user with no security group.
For more information, see Mapping Rule section of the related topic below.