diff --git a/gooddata-server-oauth2-autoconfigure/src/main/kotlin/JitProvisioningAuthenticationSuccessHandler.kt b/gooddata-server-oauth2-autoconfigure/src/main/kotlin/JitProvisioningAuthenticationSuccessHandler.kt
index d4b0c0f..b21a02e 100644
--- a/gooddata-server-oauth2-autoconfigure/src/main/kotlin/JitProvisioningAuthenticationSuccessHandler.kt
+++ b/gooddata-server-oauth2-autoconfigure/src/main/kotlin/JitProvisioningAuthenticationSuccessHandler.kt
@@ -51,8 +51,7 @@ class JitProvisioningAuthenticationSuccessHandler(
         ).flatMap { organization ->
             client.getJitProvisioningSetting(organization.id).flatMap {
                 if (it.enabled) {
-                    val userGroupsClaimName = it.userGroupsClaimName ?: GD_USER_GROUPS
-                    provisionUser(authenticationToken, organization, userGroupsClaimName, it.userGroupsDefaults)
+                    provisionUser(authenticationToken, organization, it)
                 } else {
                     logMessage("JIT provisioning disabled, skipping", "finished", "")
                     Mono.empty()
@@ -64,8 +63,7 @@ class JitProvisioningAuthenticationSuccessHandler(
     private fun provisionUser(
         authenticationToken: OAuth2AuthenticationToken,
         organization: Organization,
-        userGroupsClaimName: String,
-        userGroups: List<String>? = null
+        jitSetting: JitProvisioningSetting,
     ): Mono<User> {
         checkMandatoryClaims(authenticationToken, organization.id)
         logMessage("Initiating JIT provisioning", "started", organization.id)
@@ -73,7 +71,9 @@ class JitProvisioningAuthenticationSuccessHandler(
         val firstnameClaim = authenticationToken.getClaim(GIVEN_NAME)
         val lastnameClaim = authenticationToken.getClaim(FAMILY_NAME)
         val emailClaim = authenticationToken.getClaim(EMAIL)
-        val userGroupsClaim = authenticationToken.getClaimList(userGroupsClaimName) ?: userGroups
+
+        val userGroupsClaimName = jitSetting.userGroupsClaimName ?: GD_USER_GROUPS
+        val userGroupsClaim = authenticationToken.getClaimList(userGroupsClaimName) ?: jitSetting.userGroupsDefaults
 
         return client.getUserByAuthenticationId(organization.id, subClaim)
             .flatMap { user ->
@@ -83,7 +83,7 @@ class JitProvisioningAuthenticationSuccessHandler(
                     user.firstname = firstnameClaim
                     user.lastname = lastnameClaim
                     user.email = emailClaim
-                    if (userGroupsClaim != null) {
+                    if (jitSetting.userGroupsScopeEnabled && userGroupsClaim != null) {
                         user.userGroups = userGroupsClaim
                     }
                     client.patchUser(organization.id, user)