When we started syncing our on-prem AD to our Azure AD instance, we noticed that in some circumstances the groups on Azure AD does not contain all the members that the on-prem group has.
Having gone through the recommendations of IdFix, we couldn't find the reason for this mismatch. All the users were synced correctly.
We found that if the Primary Group of the user in the on-prem AD is not "Domain Users", syncing of these users' group memberships is unpredictable.
By default, the primary group of active directory users is Domain Users. There is no need to change primary group unless you have Macintosh clients or POSIX-compliant applications.
If you change the default Primary Group to a new one, for example there are two users: aadu01 and aadu02, both of the two users are belong to group aadg. The user aadu02, set the group aadg as Primary Group(See screenshot 1), then, the member attribute for group aadg will exclude the user aadu02, and only the user aadu01 will be included in the member attribute (See screenshot 2).
During Azure AD Connect synchronization, the member attribute of group will be synced to Azure AD, and based on the member attribute, only the user aadu01 will be associated with group aadg.
However, the user aadu02 still can be synced to Azure AD if the user is included in synchronization scope, such as Users, Domain Users, and so on, but it will not show up in the group aadg.
To resolve this issue, it's recommended to change the primary group to Domain Users.
Screenshot 1
Screenshot 2