From e0c9e18e222a3f6f71d1d49d62386a51173ae69f Mon Sep 17 00:00:00 2001
From: Acha <37405625+acha666@users.noreply.github.com>
Date: Sat, 15 Nov 2025 03:45:20 -0800
Subject: [PATCH] Update OIDC documentation for allowed groups filter

Clarify configuration for allowed groups filter with Microsoft Entra ID.
---
 docs/ref/oidc.md | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/docs/ref/oidc.md b/docs/ref/oidc.md
index f56da4f2..beb36ae0 100644
--- a/docs/ref/oidc.md
+++ b/docs/ref/oidc.md
@@ -305,5 +305,13 @@ Entra ID is: `https://login.microsoftonline.com/<tenant-UUID>/v2.0`. The followi
 - `domain_hint: example.com` to use your own domain
 - `prompt: select_account` to force an account picker during login
 
-Groups for the [allowed groups filter](#authorize-users-with-filters) need to be specified with their group ID instead
+When using Microsoft Entra ID together with the [allowed groups filter](#authorize-users-with-filters), configure the
+Headscale OIDC scope without the `groups` claim, for example:
+
+```yaml
+oidc:
+  scope: ["openid", "profile", "email"]
+```
+
+Groups for the [allowed groups filter](#authorize-users-with-filters) need to be specified with their group ID(UUID) instead
 of the group name.