There is a Groups claim created for the application/authorization server, and it is being returned successfully, but for users that are members of groups in Active Directory (or another app group that was imported from outside of Okta), the claim does not contain the full list of the user's groups.

• OpenID Connect/OAuth applications
• Org Authorization Server
• Custom Authorization Server

The Groups "Filter" claim type will only match against groups that were created/are local to Okta, and will not match against any App groups or Active Directory groups. This limitation includes the filter using "Matches Regex".

If groups of this type should be returned, use a Groups Expression, not a Filter.

• Here is what that looks like when using the Org Authorization Server:

• And here is what that looks like when using a Custom Authorization Server (such as the one named Default):

• For example, to get all the Active Directory groups to which the user is assigned, use the following Expression:

  Groups.startsWith("active_directory","",100)

• If looking to get only the Active Directory groups that start with "Admin_" or a similar substring, change the second argument in this expression as seen below:

  Groups.startsWith("active_directory","Admin_",100)

• If looking to get groups from another app, change the first argument to match the application variable name. For example, to get the Google Groups, use the following:

  Groups.startsWith("google","",100)

Related References

• Customize tokens returned from Okta with a Groups claim
• Okta Expression Language > Group functions
• Can we retrieve both Active Directory and Okta groups in OpenID Connect claims?
• Limitations of Groups functions