When updating the value of an application role in a multi tenant application, it does not seem that subsequent created access tokens created in "client" AADs have the new updated value among the roles, but rather the old value. I have verified using Get-AzureADServicePrincipal that the enterprise app has been updated in the guest AAD with new value for the role. I have also tried to remove a user from the particular role and then re-assigning the user after the role has been updated, but it does not seem to solve the problem. Only workaround for now, it deleting the enterprise app in the "client" AAD and then re-creating it.
Is this scenario not supported or am I doing something wrong?