Support Entra ID Users with more than 200 groups (fails with Group Overage Claim)

[jona7o]

What happened?

Preconditions:

• OpenID via EntraID
• Enabled Security Group Check
• User with more than 200 Groups

If these Conditions are fulfilled the "token" runs into a problem known as Group Overage Claim. I think this is all over a problem for large enterprises.

The log tells you then that the group is missing:

{"level":"error","message":"You must have the \"$UUID\" role to log in.","timestamp":"2025-08-21T09:58:53.762Z"}

There is a possible solution how it can be solved in .NET: https://mattruma.com/adventures-with-azure-ad-group-overage-claim/

Version Information

main branch

Steps to Reproduce

1. Try to login an entra id user with more than 200 groups
2. OpenID Login with Group check

What browsers are you seeing the problem on?

No response

Relevant log output

{"level":"error","message":"You must have the \"$UUID\" role to log in.","timestamp":"2025-08-21T09:58:53.762Z"}

Screenshots

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

Microsoft also provides some other suggestions:

• Add only the groups assigned to the application
• Configure a group filter to get the number of groups down under the limit

source: gravitational/teleport#21795 (comment)

I'm not sure when I would get around to implementing the necessary changes here. PR's welcome. Possible code-based solution:
gravitational/teleport#58098