Auth: Add documentation on group overage claims in AzureAD (#55389)

* Auth: Add documentation on group overage claims in AzureAD

* add info on versioning

docs/sources/setup-grafana/configure-security/configure-authentication/azuread.md

@@ -202,3 +202,26 @@ the correct teams.
 You can reference Azure AD groups by group object ID, like `8bab1c86-8fba-33e5-2089-1d1c80ec267d`.
 
 To learn more, refer to the [Team Sync]({{< relref "../configure-team-sync/" >}}) documentation.
+
+## Common troubleshooting
+
+Here are some common issues and particulars you can run into when
+configuring Azure AD authentication in Grafana.
+
+### Users with over 200 Group assignments
+
+> Supported in Grafana v8.5 and later versions.
+
+To ensure that the token size doesn't exceed HTTP header size limits,
+Azure AD limits the number of object IDs that it includes in the groups claim.
+If a user is member of more groups than the
+overage limit (200), then
+Azure AD does not emit the groups claim in the token and emits a group overage claim instead.
+
+> More information in [Groups overage claim](https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens#groups-overage-claim)
+
+If Grafana receives a token with a group overage claim instead of a groups claim,
+Grafana attempts to retrieve the user's group membership by calling the included endpoint.
+
+> Note: The token must include the `GroupMember.Read.All` permission for group overage claim calls to succeed.
+> Admin consent may be required for this permission.