diff --git a/argocd/manifests/authentik/configmap-blueprint.yaml b/argocd/manifests/authentik/configmap-blueprint.yaml
index 4a67df7..8be67b2 100644
--- a/argocd/manifests/authentik/configmap-blueprint.yaml
+++ b/argocd/manifests/authentik/configmap-blueprint.yaml
@@ -12,6 +12,7 @@ data:
       labels:
         blueprints.goauthentik.io/description: "Shared groups and identity resources"
     entries:
+      # admins group — gates access to admin-only applications
       - model: authentik_core.group
         id: admins-group
         identifiers:
@@ -19,6 +20,20 @@ data:
         attrs:
           name: admins
 
+      # groups scope mapping — returns user's group names in OIDC tokens
+      - model: authentik_providers_oauth2.scopemapping
+        id: groups-scope
+        identifiers:
+          scope_name: groups
+        attrs:
+          name: "OAuth Mapping: groups"
+          scope_name: groups
+          description: "Map user groups to OIDC groups claim"
+          expression: |
+            return {
+                "groups": [group.name for group in request.user.ak_groups.all()],
+            }
+
   grafana.yaml: |
     version: 1
     metadata: