diff --git a/argocd/manifests/authentik/configmap-blueprint.yaml b/argocd/manifests/authentik/configmap-blueprint.yaml
index 1a0e72b..8be67b2 100644
--- a/argocd/manifests/authentik/configmap-blueprint.yaml
+++ b/argocd/manifests/authentik/configmap-blueprint.yaml
@@ -20,6 +20,20 @@ data:
         attrs:
           name: admins
 
+      # groups scope mapping — returns user's group names in OIDC tokens
+      - model: authentik_providers_oauth2.scopemapping
+        id: groups-scope
+        identifiers:
+          scope_name: groups
+        attrs:
+          name: "OAuth Mapping: groups"
+          scope_name: groups
+          description: "Map user groups to OIDC groups claim"
+          expression: |
+            return {
+                "groups": [group.name for group in request.user.ak_groups.all()],
+            }
+
   grafana.yaml: |
     version: 1
     metadata:
@@ -49,6 +63,7 @@ data:
             - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
             - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
             - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, groups]]
           sub_mode: hashed_user_id
           include_claims_in_id_token: true
 
@@ -105,6 +120,7 @@ data:
             - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
             - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
             - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, groups]]
           sub_mode: hashed_user_id
           include_claims_in_id_token: true