We were using AWS Cognito and had to make a "pre-token-generation lambda" to filter out only the AD groups we cared about. We had a huge map of AD group IDs to our internal group names (multi-tenant application, so each client had a different AD group ids) so we filtered out the ad-groups and added a new custom claim with our internal names.

Fun that one time where we gave admin access to some people that shouldn't have it.

Before we added that map some of our user's tokens were exceeding the limits for AWS Cloudfront cache keys.