RE: CLI for managing config?

FWIW I ended up using mostly TF (and found some issues in the provider); plus writing some CLI in python using the rest library.

Can use the AAD config per instructions at https://fusionauth.io/docs/v1/tech/identity-providers/openid-connect/azure-ad

However, when create_registration is turned on, I can't create a new FA user. I get error "A unique identifier was not provided for the user. This account cannot be used to login, unable to complete this login request."

From the event log

2/23/2023 07:48:05 AM Z Build a new user object from the returned Userinfo response:
{
  "sub" : "3XXJmjO2q9DQCmGWV8-dyv_EzpOT-m_IAc3NX5nuYXA",
  "name" : "Simon Roberts",
  "family_name" : "Roberts",
  "given_name" : "Simon",
  "picture" : "https://graph.microsoft.com/v1.0/me/photo/$value",
  "email" : "simon.roberts@mycompany.com"
}
2/23/2023 07:48:05 AM Z Linking strategy [LinkByEmail]
2/23/2023 07:48:05 AM Z Resolved email to [smycompany.com]
2/23/2023 07:48:05 AM Z Resolved username to [null]
2/23/2023 07:48:05 AM Z Resolved unique Id to [null]
2/23/2023 07:48:05 AM Z A unique Id was not provided b

How do I get the unique ID? If I open the bearer token in jwt.io I can see my AAD OID in there

  "name": "Simon Roberts",
  "oid": "fa87b189-7080-4050-aa1b-e77e113e6799",

my scope is "openid"

What am I missing?

Hi. We have a client who currently has >1000 roles, and >1000 groups in their existing system (don't ask). Any thoughts on how to manage these? Is there any existing programatic/declarative way to manage this from an external source?