Reference: [Azure Active Directory v2.0 and the OpenID Connect protocol](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc)
1. Register or select an AAD application. Visit Overview page.
- Finally Azure AD group can be referenced by using the groups `objectId` as the [group alias name](/api/secret/identity/group-alias) for the external group.
Provider specific configuration is available when using Google as an identity provider from the
Vault JWT/OIDC auth method. The configuration allows Vault to obtain G Suite group membership and
user information during the JWT/OIDC authentication flow. The group membership obtained from G Suite
may be used for Identity group alias association. The user information obtained from G Suite can be
used to copy claims data into resulting auth token and alias metadata via [claim_mappings](/api/auth/jwt#claim_mappings).
#### Setup
To set up the Google-specific handling, you'll need:
- A G Suite account with the [super admin role](https://support.google.com/a/answer/2405986?hl=en)
for granting domain-wide delegation API client access.
- The ability to create a service account in [Google Cloud Platform](https://console.developers.google.com/iam-admin/serviceaccounts).
The Google-specific handling that's used to fetch G Suite groups and user information in Vault uses
[G Suite Domain-Wide Delegation of Authority](https://developers.google.com/admin-sdk/directory/v1/guides/delegation)
for authentication and authorization. You need to follow **all steps** in the [guide](https://developers.google.com/admin-sdk/directory/v1/guides/delegation)
to obtain the key file for a Google service account capable of making requests to the G Suite
[User Accounts](https://developers.google.com/admin-sdk/directory/v1/guides/manage-users) and
[Delegate domain-wide authority to your service account](https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account),
~> This is an **important security step** in order to give the service account the least set of privileges
that enable the feature.
#### Configuration
- `provider` `(string: <required>)` - Name of the provider. Must be set to "gsuite".
- `gsuite_service_account` `(string: <required>)` - Path to the Google service account key file obtained from setup.
- `gsuite_admin_impersonate` `(string: <required>)` - Email address of a G Suite admin to impersonate.
- `fetch_groups` `(bool: false)` - If set to true, groups will be fetched from G Suite.
- `fetch_user_info` `(bool: false)` - If set to true, user info will be fetched from G Suite using the configured [user_custom_schemas](#user_custom_schemas).
- `groups_recurse_max_depth` `(int: <optional>)` - Group membership recursion max depth. Defaults to 0, which means don't recurse.
- `user_custom_schemas` `(string: <optional>)` - Comma-separated list of G Suite [custom schemas](https://developers.google.com/admin-sdk/directory/v1/guides/manage-schemas).
Values set for G Suite users using custom schema fields will be fetched and made available as claims that can be used with [claim_mappings](/api/auth/jwt#claim_mappings). Required if [fetch_user_info](#fetch_user_info) is set to true.
Note your policy will need `oidc_scopes` to include `profile` to get a full profile ("[Fat Token](https://support.okta.com/help/s/article/Okta-Groups-or-Attribute-Missing-from-Id-Token)"). You will also need to configure bound audience along the lines of `"bound_audiences": ["api://default", "0a4........."]` if you are using the default authorization server.
