At the moment, the Directory Synchronization uses Delta Queries against Azure AD, which can cause issues when using the includeGroup selector for users. I would like to change this sync mechanism to always check all users.
The use case is, that only users added into a specific group should be provisioned / deprovisioned to and from Bitwarden. This means, that if the user is removed from the includeGroup, they should be removed from Bitwarden, but their account still remains in Azure AD for archive purposes etc.
Would this change be accepted as a pull request? Eventually, when includeGroup is used, we would do the deltaQuery on the group object rather than all users (Get incremental changes for groups - Microsoft Graph | Microsoft Learn).
Just an update: Started working on it - https://github.com/hajekj/directory-connector/, will submit pull request soon.