Okay,
I really wish there was an easy way to reconstruct the exact oauth call being done behind the scenes so you could poke at the Azure oauth response with curl. But i would encourage you to try that and look at the json response so you can get a handle on what Azure is doing with regard to populating the groups claim.
Reading up on the Azure documentation for their OIDC implementation backed by AD, it looks like you have some tunables as to what AD attributes get mapped into the array value of the groups_claim associated with the outh2 application you setup in Azure to use with Sensu. It could be that you may have to change some settings to get the array of strings you expect from AD.
I can’t tell you what you expect however, because I don’t have access to your AD which makes it very difficult to walk you through it.
Here’s what I think the best Azure reference doc for the tunable is
From the documentation there are several ways to populate the groups_claim. You are probably just not using the correct option, probably just getting the application level group, not the groups associated with the user.
It would definitely be easier for you to be able to poke at this with some curl commands until you got the Azure settings right. I think its gonna be pretty obvious once you get Azure configured correctly. You’re definitely getting the basics right, Azure is providing a json response with a “groups” attribute… its just not populated with what you expect it sounds like.
I hope this helps.