Getting groups for Google Enterprise connection - which scopes do I add?

I’m trying to get information about group memberships when users log in using a Google G Suite Enterprise connection. I’ve checked “Extended Attributes > Groups” in the connection settings, but I don’t see any group-related claims in the ID token.

I found this thread, where the solution was:

the Google Admin scopes have to be added on the consent screen stage

But it doesn’t say which scopes to add. I have the Google Admin SDK enabled, but when I visit the only scopes listed for that SDK are:

Neither of those seem relevant, or appear to work if I enable them.

There are more relevant-sounding scopes listed at, and I’ve tried a few (e.g. by pasting them into the Add Scope dialog, but that didn’t seem to work either.

Which scope do I need to add in order to get this to work?

NB: My Google API has the application type “Internal”, so this isn’t a question of the consent screen requiring verification before it goes live.