OAuth Claims / Access Scopes

I am attempting to configure OAuth claims to match groups in Azure AD configuration.
I’m using socialiteproviders/microsoft provider.
We can log in successfully using OAuth, with the default_role global-read.

Next, we should match claims to scopes in order to allow some users belonging to a specific group to be administrators.

I’m having a hard time understanding the limited documentation for this.

If anyone has a useful example to share with me, it would be greatly appreciated.

This is my current socialite configuration:

    "redirect": false,
    "register": true,
    "default_role": "global-read",
    "claims": {
        "9b7d0624-xxxx-xxxx-xxxx-63f9d3260xxx": {
            "roles": [
    "configs": {
        "microsoft": {
            "client_id": "redacted",
            "client_secret": "redacted",
            "tenant": "redacted",
            "listener": "\\SocialiteProviders\\Microsoft\\MicrosoftExtendSocialite",
            "redirect": "https://librenms.redacted.com/auth/microsoft/callback"
    "scopes": [

Under claims I’ve set the ID of the group in Azure AD that should get the admin role.
Under scopes I’ve set the groups an in the documentation example. However, I’m not sure what I should put here.