Azure AD Authentication Token problems

Product: PowerShell Universal
Version: 2.3

I am trying to get Azure AD group membership and having difficulities doing so. Here is the relevent portion of the appsettings.json:
“OIDC”: {

  "Enabled": "true",

  "CallbackPath": "/auth/signin-oidc",

  "ClientID": "4c....",

  "ClientSecret": "clientsecret",

  "Resource": "https://manage.office.com/",

  "Authority": "https://login.microsoftonline.com/tenetID",

  "ResponseType": "id_token token",

  "SaveTokens": "true",

  "CorrelationCookieSameSite": "",

  "UseTokenLifetime": true,

  "Scope": "openid profile groups"

}

I also have it setup to use https on port 443.
Whenever I have this setup, I get a 500 error on loading at https://url/auth/signin-oidc .
If I remove the resource and change the response type to “code”, I am able to login, but don’t get any of my group membership. My app is set to send all group membership (although I have also tried security or application, as well). I also have access tokens and id tokens checked in my Azure app.

Am I missing something?

Not sure if it’s helpful, but I use the ‘ResponseType’ as Code and am sending only assigned groups back to PSU. My OIDC settings are below. I noticed two differences to what you shared:

• Your code is missing ‘GetUserInfo’, though I’m genuinely not sure if that is relevant or not
• You have a ‘Resource’ URL defined, where I do not

OIDC code:

"OIDC": {
"Enabled": "true",
"CallbackPath": "/auth/signin-oidc",
"ClientID": "<ClientID>",
"ClientSecret": "<ClientSecret>",
"Resource": "",
"Authority": "https://login.microsoftonline.com/<tenantID>",
"ResponseType": "code",
"SaveTokens": "false",
"CorrelationCookieSameSite": "",
"UseTokenLifetime": true,
"Scope": "openid profile groups",
"GetUserInfo": true
},

My Azure Authentication settings:

My Azure token configuration for the groups claims (note in the ‘Enterprise Applications’ section I have custom groups scoped to my PSU app):

02584×807 27.1 KB