applying suggestions

Author: eedugon

deploy-manage/users-roles/_snippets/azure-group-overage.md

@@ -0,0 +1,9 @@
+:::{admonition} For organizations with many group memberships
+If you configure [`claims.groups`](/deploy-manage/users-roles/cluster-or-deployment-auth/openid-connect.md#oidc-user-properties) to read the list of Azure AD groups from the ID token, be aware that users who belong to many groups may exceed Azure AD’s token size limit. In that case, the `groups` claim will be omitted.
+
+To avoid this, enable the **Groups assigned to the application** option in Azure Entra (**App registrations > Token configuration > Edit groups claim**). This setting limits the `groups` claim to only those assigned to the application.
+
+**Alternative:** If you can’t restrict groups to app-assigned ones, use the [Microsoft Graph Authz plugin for Elasticsearch](https://www.elastic.co/docs/reference/elasticsearch/plugins/ms-graph-authz). It looks up group memberships through Microsoft Graph during authorization, so it continues to work even when the `groups` claim is omitted due to overage.
+
+Refer to [Group overages](https://learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-roles#group-overages) for more information.
+:::

deploy-manage/users-roles/cluster-or-deployment-auth/oidc-examples.md

@@ -99,12 +99,7 @@ For more information about OpenID connect in Azure, refer to [Azure OAuth 2.0 an
     * `KIBANA_ENDPOINT_URL` is your {{kib}} endpoint.
     * `YOUR_DOMAIN` and `TLD` in the `claim_patterns.principal` regular expression are your organization email domain and top level domain.
 
-    ::::{tip} for organizations with many group memberships
-    If you use [`claims.groups`](/deploy-manage/users-roles/cluster-or-deployment-auth/openid-connect.md#oidc-user-properties) to map the list of Azure AD groups included in the ID token,  users with a large number of group memberships might exceed the token size limit. 
-    
-    To avoid this, enable the **Groups assigned to the application** option in Azure Entra (**App registrations > Token configuration > Edit groups claim**). This limits the groups included in the ID token to those assigned to the application.
-
-    For more details, refer to [Configure group claims and app roles in tokens](https://learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-roles) in the Microsoft Security documentation.
+    ::::{include} ../_snippets/azure-group-overage.md
     ::::
 
     If you're using {{ece}} or {{ech}}, and you're using machine learning or a deployment with hot-warm architecture, you must include this configuration in the user settings section for each node type.

deploy-manage/users-roles/cluster-or-deployment-auth/saml-entra.md

@@ -89,9 +89,12 @@ Follow these steps to configure SAML with Microsoft Entra ID as an identity prov
         * `<Tenant_ID>` is your Tenant ID, available in the tenant overview page in Azure.
         * `<Kibana_Endpoint_URL>` is your {{kib}} endpoint, available from the {{ech}} console. Ensure this is the same value that you set for `Identifier (Entity ID)` in the earlier Microsoft Entra ID configuration step.
 
-            For `idp.metadata.path`, we’ve shown the format to construct the URL. This value should be identical to the `App Federation Metadata URL` setting that you made a note of in the previous step.
+        * For `idp.metadata.path`, we’ve shown the format to construct the URL. This value should be identical to the `App Federation Metadata URL` setting that you made a note of in the previous step.
 
-            If you're using {{ece}} or {{ech}}, and you're using machine learning or a deployment with hot-warm architecture, you must include this configuration in the user settings section for each node type.
+        ::::{include} ../_snippets/azure-group-overage.md
+        ::::
+
+        If you're using {{ece}} or {{ech}}, and you're using machine learning or a deployment with hot-warm architecture, you must include this configuration in the user settings section for each node type.
 
     2. Next, configure {{kib}} to enable SAML authentication:
         1. [Update your {{kib}} user settings](/deploy-manage/deploy/elastic-cloud/edit-stack-settings.md) with the following configuration: