Is there a way to map external active directory groups to internal? Looks like I can only use internal groups in posture policy and client provisioning policy. Is that correct?
You can create the policy so that the ad external group attribute is a component of the policy.
When add a new condition on the left hand side select the advanced option, there you will see AD the select the external group attribute.
From there you can choose the operator followed by the value, which you selected in the groups tab under the Ad settings.