diff --git a/main.go b/main.go
index ad9170a..540eda5 100644
--- a/main.go
+++ b/main.go
@@ -26,6 +26,7 @@ func main() {
 	jwtIssuers := StringArray{}
 	googleGroups := StringArray{}
 	permittedGroups := StringArray{}
+	permittedUsers := StringArray{}
 	redisSentinelConnectionURLs := StringArray{}
 
 	config := flagSet.String("config", "", "path to config file")
@@ -43,6 +44,7 @@ func main() {
 	flagSet.Bool("pass-groups", false, "pass user group information in the X-Forwarded-Groups header to upstream (Azure only)")
 	flagSet.String("filter-groups", "", "exclude groups that do not contain this value in its 'displayName' (Azure only)")
 	flagSet.Var(&permittedGroups, "permit-groups", "restrict logins to members of this group (may be given multiple times; Azure).")
+	flagSet.Var(&permittedUsers, "permit-users", "let users in unconditionally")
 	flagSet.String("groups-delimiter", "|", "delimiter between group names if more than one found. By default it is '|' symbol")
 	flagSet.String("basic-auth-password", "", "the password to set when passing the HTTP Basic Auth header")
 	flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header")
diff --git a/options.go b/options.go
index ab7eeea..d8ddebc 100644
--- a/options.go
+++ b/options.go
@@ -168,6 +168,7 @@ func NewOptions() *Options {
 		FilterGroups:                     "",
 		GroupsDelimiter:                  "|",
 		PermitGroups:                     []string{},
+		PermitUsers:                      []string{},
 		PassAccessToken:                  false,
 		PassHostHeader:                   true,
 		SetAuthorization:                 false,
diff --git a/providers/azure.go b/providers/azure.go
index cc9c455..2816ab8 100644
--- a/providers/azure.go
+++ b/providers/azure.go
@@ -1,6 +1,7 @@
 package providers
 
 import (
+	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
@@ -157,17 +158,21 @@ func (p *AzureProvider) GetGroups(s *sessions.SessionState, f string) (map[strin
 	if s.IDToken == "" {
 		return map[string]string{}, nil
 	}
+	parts := strings.Split(s.IDToken, ".")
+	if len(parts) != 3 {
+		return map[string]string{}, nil
+	}
+	rawJSON, err := jwt.DecodeSegment(parts[1])
+	if err != nil {
+		return map[string]string{}, err
+	}
 
 	type GroupClaims struct {
 		Groups []string `json:"groups"`
-		jwt.StandardClaims
 	}
-
 	claims := &GroupClaims{}
-	jwt.ParseWithClaims(s.IDToken, claims, func(token *jwt.Token) (interface{}, error) {
-		return []byte("empty"), nil
-	})
 
+	json.Unmarshal(rawJSON, &claims)
 	groupsMap := make(map[string]string)
 	for _, s := range claims.Groups {
 		groupsMap[s] = s