We use two users rapstaff and rapagent from a given AAD tenant and common namespace within that tenant : rapmlsqa.com.
when users sign in via the federated management process, their AAD record is updated – including the leaf groups to which they belong. For example billtypeA.
We then define a super group, for example billtypeB. B includes whatever A include, plus some nominated users.
In our case, we have rapstaff in billtypeA, and define B to include A and rapagent. Thus B is in effect rapstaff and rapagent. But, note the inclusion relationship is not symmetric.
When we run the sample code at https://github.com/AzureADSamples/WebApp-GroupClaims-DotNet
we get to see such as what happens with rapagent shares with group A
if we logon to rapagent, we see the sharing just accomplished:
One notes how the particular app design presents share objects, that one is not owner of, in a form that does not allow one to share further.
if we use a user from a different tenant (firstname.lastname@example.org)
if we add email@example.com to the billtypeB group
we see suddenly that the task share with metrolist rapstaff includes:
(after a signout/signin process, that refreshes the group claims in the users session)
When we look at a JWT from the id token, we see that the group claims are presents – as OIDs.