Okay I think our friends at HashiCorp have documented the magic.Specifically there is discussion about the scope called “https://graph.microsoft.com/.default”
This maybe the missing magic that Azure requires to set the groups_claim correctly for OIDC.
Take a look at:
Azure Ref: