Hi.
expr { [ mcget { session.saml.attr.groups } ] contains "Administrator" is a possible solution we've considered. This would however imply that we create one step in the policy editor for each group/ACL combination, and there could be quite a few along the way. Thus, we would rather use an iRule (if possible) to solve this dynamically.
The AAD group IDs returned seem correct. We've bumped up the log level for this specific access policy to debug, and can also verify these contents from active APM sessions in the GUI, or using the CLI command 'sessiondump --allkeys'.
ACLs are static, yes. These are populated automatically through the API when needed - such as when a new Azure subscription with a corresponding IP pool is created.