nFactor Authentication - Group Extraction Problem Local and LDAP

I have an nFactor authentication flow configured with expressions to check for group membership to decide on the Next Factor.  Expression (HTTP.REQ.USER.IS_MEMBER_OF("Group1).  The nFactor auth flows now work as expected expect for Active Directory group memberships.  I have found that I need to create AAA Users and AAA Groups locally on the netscaler.  The users are set to external so I do authentication with LDAP.  However I was expecting the LDAP group extraction to occur, then based on the LDAP (Active Directory) group membership at that time the respective Policy Label would take effect as the Next Factor.  However I have to make group changes with the local NetScaler AAA Groups, any changes in the Active Directory groups seem to be ignored.


I'm sure the group extractions are occurring as aaad.debug shows the users and groups when logging in, but I think the "source" of authentication seems to be set locally on the NetScaler somewhere.


At the moment I can add users and groups to AAA Users/Groups and manage group membership on NetScaler but I was looking to manage the group membership in Active Directory.  Is this possible?


I can reproduce my users and groups in AAA Users/Groups but that means we have to make the same changes in AD & NetScaler to make it work.


After some investigation I thought the issue could be the Citrix Gateway\Global Settings\Change AAA Authentication Settings\ Default Authentication Type.  This was set to LOCAL, I have now changed to LDAP (and set the LDAP settings in "Change Authentication LDAP Settings") but the GW VS still needs the local AAA Users/Groups with membership to function.


Apologies if this is a basic question but I am fairly new with NetScaler and just trying to understand how things fit together.

