[CF1] adfs groups callout

Author: deadlypants1973

src/content/docs/cloudflare-one/identity/idp-integration/adfs.mdx

@@ -17,10 +17,10 @@ Active Directory is a directory service developed by Microsoft for Windows domai
 
 To get started, you need:
 
-- An Active Directory Domain Controller where all users have an email attribute
-- Generic SAML enabled for your Access Identity Provider (IdP)
+- An Active Directory Domain Controller where all users have an email attribute.
+- Generic SAML enabled for your Access Identity Provider (IdP).
 - A Microsoft server running with Active Directory Federation Services (AD FS) installed. All screenshots in these instructions are for Server 2012R2. Similar steps will work for newer versions.
-- A browser safe certificate for Active Directory Federation Services (AD FS)
+- A browser safe certificate for Active Directory Federation Services (AD FS).
 
 Once you fulfill the requirements above, you are ready to begin. Installation and basic configuration of Active Directory Federation Services (AD FS) is outside the scope of this guide. A detailed guide can be found in a [Microsoft KB](<https://docs.microsoft.com/en-us/previous-versions/dynamicscrm-2016/deployment-administrators-guide/gg188612(v=crm.8)>).
 
@@ -126,6 +126,11 @@ To create Claim Rules:
 
 Both Claim Rules are now available to export to your Cloudflare Access account.
 
+:::note
+
+If you wish to use AD FS groups in your SAML claims, use `token-groups - unqualified names` instead of `is-member-of-DL`.
+:::
+
 ## Export the certificate
 
 Now you'll configure Cloudflare to recognize AD FS by extracting the _token-signing certificate_ from AD FS.