This as an Azure AD problem. We suffer the same as we started with AD on-prem and in moving to AAD, we've had to rethink our CAD group strategy.

Unless Microsoft remove the restriction, then it might be a good opportunity to review your own group policy as being a member 165 groups feels very over complicated.

How is this an Azure AD problem? This could easily be solved by doing a separate request to retrieve all the groups.
The value of the groups.links-attribute clearly states where the groups can be retrieved.

Or am I missing something here?

Hi @Rui Barbosa ,

My colleague Rob (TS) has created the appropriate functions to support huge numbers of groups. We use the provided link in the SAML message to retrieve all groups via the Graph-API, completely following all specifications.

Would you be open to add this to the next version of the IDP module?

We would be happy to share all the code.

Hi Peter,

Actually, there is already a version of IdP (4.2.13), that is currently "Under Development" that references a new App called Idp Customizations that will let you add your own custom logic for user/group mapping.

This will let you add the necessary logic to call the Graph API and fetch the groups/roles mapping without affecting the IDP component and its future versions.

This will be a more generic solution, without having to go to the different implementation details of Graph API with endpoints and credentials/tokens etc..

This new version includes many other changes such as allowing multiple configurations of different identity providers for the same tenant.

I'm just currently waiting for more feedback from a couple of colleagues that are already using this latest version. I also need to create new and updated documentation for this new version.