Organizations represent certificate authorities, changing a users organization requires issuing a new certificate and private key. This can’t be done during connection. If a user logs into the web console with single sign-on and the group has changed the user will be moved to a new organization.
If the groups mode is configured the Azure API would be used to update the users groups on connection. You also need to configure groups on the server. If a server has no groups configure the user groups will never be checked.