AD as whitelist for getFilteredGroups

Is it possible to whitelist every active directory group when using “getFilteredGroups” without having to manually go through and record each group id. Something like: “getFilteredGroups(active_directory.groups,, 100)”.

We are trying to get user AD groups in id_tokens/access tokens but have way too many groups to manually go through and list each group for an app whitelist.


Mind opening a case with

I’m unsure if this is possible looking at the documentation. You do have the ability to grab use the whitelist for active_directory app type, but I’m unsure how it behaves with the rest of the expression language.

It is probably going to be faster to work with support than waiting for me to get AD configured on my org to validate.


Well I’ve been trying to get AD groups added to the users id_token and I’ve had this question open for some time (How to add AD groups to users id_token (working example))

I’ve not yet had any clear guidance on how or if this works so if you do get this working successfully I’d appreciate any feedback or steps (not pointing me to the documentation as I’ve already been through it all).

Thank you

We worked with our Okta technical contact for a while on this and were unable to come up with a solution that worked. We could get Okta mastered groups in the token but not AD. We ended up giving up and pivoting to just calling the /api/v1/users/${user.sub}/groups endpoint to get all the groups a user belongs to, which isn’t ideal because it is an additional call to make, but works fine enough for our use case. If you ever find a solution to this I’d be happy to hear though!