The most common cause of this is a typo or non-matching capitalization when configuring members for the internet-service-group.

Another common cause is the built-in 'direction' attribute of the Internet Service may not be compatible with the 'direction' configured in the Internet Service Group.

More details about the direction consideration can be found on Technical Tip: Internet Service Grouping in relation to direction.

• By default, the newly created internet-service-group is 'both':

show full firewall internet-service-group 1000
config firewall internet-service-group
    edit "1000"

        set direction both

    next

end

• Direction can be changed:

config firewall internet-service-group
    edit 1000

        set direction ?
source           As source when applied.
destination      As destination when applied.
both             Both directions when applied.

• Internet Services also have destination attributes:

diagnose internet-service id-summary 327681
Version: 00007.03429
...
Internet Service: 327681(Microsoft-Web)...
Direction: dst

Or:

diagnose internet-service id-summary 327903
Version: 00007.03429
...
Internet Service: 327903(Microsoft-Office365.Published.Allow)
Direction: both

Internet Services with directions 'both' can be added to groups with directions 'destination' and 'source'. For example, if the group direction is 'both', it is possible to add only Microsoft-Office365.Published.Allow ('both'), but not Microsoft-Web ('dst') to it. However, if changing the type to 'destination', it is possible to add both services. 

This configuration can be done only from the CLI.

Note:

Starting from FortiOS v7.6.0, direction can be configured using the GUI as well. Go to Policy & Objects -> Internet Service Database -> Select Internet Service Group -> Create new.