Hi I have created OpenId identity provider with Azure Active directory and it works. What I am failing is to retrieve any group or role information from Azure, so I can assign corresponding roles in Keycloak. In their documentation, https://docs.microsoft.com/en- us/azure/active-directory/develop/active-directory-token-and-claims I see that if response_type is specified as "id_token" additional claims "roles" and "groups" should be returned. But Keycloak's redirect to authorization URL in Azure contains parameter response_type=code and there is no way to overwrite it. Azure AD's openId configuration https://login.microsoftonline. com/e061e904-dda8-491c-9f2f-d1e3051a5191/.well-known/openid-configuration returns "response_types_supported":["code","id_token","code id_token","token id_token","token"] but in "claims_supported" don't mention "groups" nor "roles" claims. So question - is it possible to change response_type to include id_token, so groups or roles claims are retrieved and can be used in mapper to assign corresponding roles in Keycloak. If not - what is a suggested approach - store the token and retrieve them separately? Thanks Andrius Karpavicius