Azure AD sync fails to add users to the group via auto-provisioning if the group has security_admin roles granted. 

• Instance on London or Later releases.
• Configuration for auto user provisioning with Azure Active Directory done. 
• The group in which the user has to be provisioned has a Security_admin role assigned. 

There are some design changes in the sys_user_role ACL with the READ operation since the London release. Per the change we have locked the contains role checks in the ACL for READ operations.

Remove the security_admin role from the group role for the user to sync/provisioned to the group.

The security_admin role is an elevated privilege role provided with High-Security Settings that lets users create and change access controls and change High-Security Settings.

In the base system, only the default System Administrator (admin) user has the security_admin role. Since it requires elevating privileges, the admin user does not have this role at login. After elevating privileges, the admin user has the security_admin role for the duration of the user session.

Reference: https://docs.servicenow.com/bundle/london-platform-administration/page/administer/security/concept/security-admin-role.html