Group Membership Claims Included in Tokens
Currently, we are not overriding the default options for the group membership claims included in the AAD tokens for the application registration created by Terraform. This means that the default options for Terraform, which is including SecurityGroups in the token is enabled. This causes an issue for some users because their decoded tokens become very large if they are a member of many groups. When this happens, these users get back 400 errors from every service they call. We do not know the exact root cause of this, but it is likely an issue with Istio validating the token. We have been able to fix this issue with customers by following the steps here manually. We should investigate a way to fix this issue by excluding the groups from tokens by default.