diff --git a/docs/ref/oidc.md b/docs/ref/oidc.md
index f56da4f2..beb36ae0 100644
--- a/docs/ref/oidc.md
+++ b/docs/ref/oidc.md
@@ -305,5 +305,13 @@ Entra ID is: `https://login.microsoftonline.com/<tenant-UUID>/v2.0`. The followi
 - `domain_hint: example.com` to use your own domain
 - `prompt: select_account` to force an account picker during login
 
-Groups for the [allowed groups filter](#authorize-users-with-filters) need to be specified with their group ID instead
+When using Microsoft Entra ID together with the [allowed groups filter](#authorize-users-with-filters), configure the
+Headscale OIDC scope without the `groups` claim, for example:
+
+```yaml
+oidc:
+  scope: ["openid", "profile", "email"]
+```
+
+Groups for the [allowed groups filter](#authorize-users-with-filters) need to be specified with their group ID(UUID) instead
 of the group name.