Our MDM manager came to me with an issue with Azure Endpoint Manager using Dynamic Membership Rules. The groups were not updating members automatically, as a result devices didn't receive the correct policies. The membership rule was simple.
(device.enrollmentProfileName -equals "LKiosk")
If the device was using that enrollment profile, it should have been a member. Unfortunately, that equals operating was not operating as expected. As a result, we were getting no members in the group. The solution was to change the operator to Contains.
(device.enrollmentProfileName -contains "LKiosk")
Once we made the change, the membership was re-evaluated and the devices were added.