diff --git a/mycloud-nextcloud/templates/authentik-application.yaml b/mycloud-nextcloud/templates/authentik-application.yaml
index 8388abc..1606619 100644
--- a/mycloud-nextcloud/templates/authentik-application.yaml
+++ b/mycloud-nextcloud/templates/authentik-application.yaml
@@ -41,7 +41,7 @@ spec:
             - name: "OAuth Mapping: Nextcloud Profile"
               scope_name: profile
               expression: |-
-                groups = [group.name for group in user.ak_groups.all()]
+                groups = [group.name for group in user.ak_groups.all() if group.attributes.get("nextcloud_group", False)]
                 if user.is_superuser and "admin" not in groups:
                     groups.append("admin")
 
diff --git a/mycloud-nextcloud/templates/release.yaml b/mycloud-nextcloud/templates/release.yaml
index 02fe5cc..8dbdd08 100644
--- a/mycloud-nextcloud/templates/release.yaml
+++ b/mycloud-nextcloud/templates/release.yaml
@@ -87,6 +87,7 @@ spec:
             enabled: true
             config:
               allow_multiple_user_backends: "0"
+              provider-1-groupProvisioning: "1"
           ##
           # collabora
           ##
@@ -139,6 +140,7 @@ spec:
               --mapping-email=email \
               --mapping-display-name=name \
               --mapping-quota=quota \
+              --mapping-groups=groups \
               --check-bearer=true \
               --unique-uid=0;