By default there is an All Techs group which includes all the tech that are added to TechIdManager. By default there is an All Domains group which includes all the domains that are added to TechIdManager. By default there is an All Rights groups which includes all the rights that are initially defined in TechIdManager. By default there is a triplet that ties all three of these groups together.
So on first setting up TechIdManager all techs that are added to TechIdManager will have all the rights on all domains.
Rights are of several types in TechIDManager. There are Domain Rights, LocalMachine Rights, and Azure Rights. Domain rights are matched by name to the AD Groups on a domain. LocalMachine rights are matched by name to the groups on local machines. Azure Rights are matched by name to the rights in Azure. Any right name that does not exist in a particular location is ignored. No AD groups, LocalMachine groups, or Azure rights are every created by TechIDManager.
The following slides explain how the groups work if you want to setup your own groups.
If you setup your own groups, you will need to delete the all/all/all triplet.
Here are 2 different Grouping setups and how they interact if you have both setup.