AD user not showing any AD groups?

I am using Open ID Connect from ASP.Net. I have synced my Active Directory using the agent. I enabled delegation to AD. I have modified the Authorization Server to create a ‘groups’ scope and expose the groups claim with regex: .*

When I make my request to the API, the response type is “code id_token token” and the scopes are “openid profile email groups”.

When I log in as an AD user, the login is successful, but the only group in the response to the userInfoClient.GetAsync call is “Everyone”.

Am I missing something to be able to see what AD groups the user is a member of?
Thank you

No response to this? Is there more information that is needed? I am happy to provide anything needed. I am stuck on this and can’t find any good answers why I am not able to get the users Active Directory groups to appear in the list of claims. Please help.

Regex only works on Okta groups, there was a performance issue associated with ad groups and regex that we couldn’t support. I followed up with the team (hence the delay) and it is on the roadmap for them to get this behavior in.

In the meantime, we recommend this article for getting groups isolated for an application for performance reasons:

Let me know if you have any questions about this.

Hi I have some question regarding the groups claim.

I’ve added claims in my default authorization server for openidc applications like this :

groups_ad Groups.startsWith("", "DL", 10) groups id Always
groups_okta groups: regex .* groups id Always

The groups_okta is showing up in the token_id but not the groups_ad.

The groups are synced from AD with active directory integration.
I am not sure about the parameter app in the expression of the claim. Is the good value doesn’t really help.


For me, using active_directory instead of worked (i.e. underscore instead of dot).

I tried this after seeing some examples here that used underscore: