Feature Request

What challenge are you facing?

I'm configuring concourse using generic oauth provider and azure AD as oauth2 backend. In this scenario, there is no way to fine grain the access, all authenticated users have access to all the concourse teams configured with azure oauth2.
Concourse code proves this:

goGroup, err := group.AddGroup("Generic OAuth Authentication (allows access to ALL authenticated users)", "", flags)

A Modest Proposal

I guess the proposal is to actually implement an azure auth provider.
There are several ways that this could be tackled:

1. expecting the token to contain the security group information for the user and using that one to allow access to particular teams
2. using roles -> these can be defined in the azure service registration and users/teams can be associated with particular roles for a specific app. This information is present the token.

If you believe this would be a useful addition, I'm willing to help either by implementing this provider or by providing further information. Please let me know.