Posting this question on behalf of a customer:

We are trying to integrate Kubernetes OIDC authentication with Azure AD. According to the documentation in order to use User groups we need to pass the following option to the Kubernetes API service: --oidc-groups-claim user_roles Api service uses user_roles to look up the group names of the groups the user is a member of in the JWT returned by Azure AD.

However, when we decode the JWT returned by Azure AD, we can't find any field called user_roles in the returned JWT. The decoded JWT looks like this (redacted):

{  
  "aud": "spn:XXX",  
  "iss": "https://sts.windows.net/XXX/ ",  
  "iat": XXX,  
  "nbf": XXX,  
  "exp": XXX,  
  "acr": "1",  
  "aio": "XXX",  
  "amr": [  
    "pwd",  
    "mfa"  
  ],  
  "appid": "XXX",  
  "appidacr": "0",  
  "family_name": "Foo",  
  "given_name": "Bar",  
  "groups": [  
    "gid1",  
    "gid2"  
  ],  
  "ipaddr": "XXX",  
  "name": "Foo Bar",  
  "oid": "XXX",  
  "onprem_sid": "XXX",  
  "scp": "user_impersonation",  
  "sub": "XXX",  
  "tid": "XXX",  
  "unique_name": "XXX",  
  "upn": "XXX",  
  "uti": "XXX",  
  "ver": "1.0"  
}   

As you can see there is no user_role field present in the returned JWT. Is there anything we are missing ie. should we enable some settings in the Azure AD that will get the Azure return user_role populated with the group names the user is a member of? JWT we are hoping to get should look something like this (please note the user_role field):

https://github.com/kubernetes/kubernetes/issues/33290#issue-178672086

{  
  "iss": "XXX",  
  "aud": "XXX",  
  "exp": XXX,  
  "jti": "XXX",  
  "iat": XXX,  
  "nbf": XXX,  
  "sub": "mmosley",  
  "user_role": [  
    "admin",  
    "users",  
    "approvers"  
  ],  
  "email": "XXX"  
}   

Any help or pointers would be greatly appreciated.