[AzureAD] Add an implementation for Authenticator.authenticator_managed_groups=true

oauthenticator/azuread.py

@@ -32,12 +32,20 @@ class AzureAdOAuthenticator(OAuthenticator):
     def _tenant_id_default(self):
         return os.environ.get('AAD_TENANT_ID', '')
 
-    username_claim = Unicode(config=True)
+    username_claim = Unicode(config=True, help="Name of claim containing username")
 
     @default('username_claim')
     def _username_claim_default(self):
         return 'name'
 
+    user_groups_claim = Unicode(
+        config=True, help="Name of claim containing user group memberships"
+    )
+
+    @default('user_groups_claim')
+    def _user_groups_claim_default(self):
+        return 'groups'
+
     @default("authorize_url")
     def _authorize_url_default(self):
         return 'https://login.microsoftonline.com/{0}/oauth2/authorize'.format(
@@ -96,6 +104,10 @@ async def authenticate(self, handler, data=None):
 
         return userdict
 
+    def load_user_groups(self, auth_state):
+        auth_user_state = auth_state["auth_state"]["user"]
+        return auth_user_state[self.user_groups_claim]
+
 
 class LocalAzureAdOAuthenticator(LocalAuthenticator, AzureAdOAuthenticator):
     """A version that mixes in local system user creation"""