We have discovered that when a D365 role is applied to an AAD security group containing guest user accounts, it doesn’t apply the associated permissions. It works fine with member user accounts.

However, when applying the D365 role directly to the guest account, it does apply correctly.

Microsoft have confirmed that applying roles to a group of guest users isn't supported currently, and we must apply the roles to the users individually.

It would be great if it could be supported in the future.