Ok, so it turns out the users from domain B are not synced. It just so happens the users tried to access the hub and were created automatically in Sense.
The user account is still not associated (in Sense) with the groups in domain A they are members of.
Is this a limitation of LDAP?
It looks like external users are represented as ForeignSecurityPrincipals (SIDs) when using LDAP.
I would like to add this is ridiculously easy using powershell...
Get-ADGroupMember -Identity <Group> -Recursive | select name