From c60394062dacecadda19334b1af89a7a3df19937 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Thu, 1 Sep 2022 18:30:50 -0400
Subject: [PATCH] auth/oidc: add extra context about claim names in doc
 (#16987)

---
 .../docs/auth/jwt/oidc-providers/azuread.mdx  | 20 +++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/website/content/docs/auth/jwt/oidc-providers/azuread.mdx b/website/content/docs/auth/jwt/oidc-providers/azuread.mdx
index 07d245edbe..066de69716 100644
--- a/website/content/docs/auth/jwt/oidc-providers/azuread.mdx
+++ b/website/content/docs/auth/jwt/oidc-providers/azuread.mdx
@@ -95,8 +95,24 @@ You should set up a [Vault policy](https://learn.hashicorp.com/tutorials/vault/p
 
 ### Optional Azure-specific Configuration
 
-If a user is a member of more than 200 groups (directly or indirectly), extra configuration
-is required so that Vault can fetch the groups properly.
+If a user is a member of more than 200 groups (directly or indirectly), Azure will
+send `_claim_names` and `_claim_sources`. For example, returned claims might look like:
+
+```json
+{
+  "_claim_names": {
+    "groups": "src1"
+  },
+  "_claim_sources": {
+    "src1": {
+      "endpoint": "https://graph.windows.net...."
+    }
+  }
+}
+```
+
+The OIDC auth method role can be configured to include the user ID in the endpoint URL, 
+which will be used by Vault to retrieve the groups for the user:
 
 - In Azure, under the applications **API Permissions**, grant the following permissions:
   - Microsoft Graph API permission [Directory.Read.All](https://docs.microsoft.com/en-us/graph/permissions-reference#application-permissions-19)