diff --git a/config/authorization/config.lisp b/config/authorization/config.lisp
index 2047c3a..252f7cc 100644
--- a/config/authorization/config.lisp
+++ b/config/authorization/config.lisp
@@ -125,7 +125,8 @@
       PREFIX mu: <http://mu.semte.ch/vocabularies/core/>
       SELECT ?account WHERE {
           <SESSION_ID> session:account ?account .
-          ?user foaf:account ?account ; foaf:member <http://data.rollvolet.be/user-groups/admin> .
+          ?user foaf:account ?account .
+          <http://data.rollvolet.be/user-groups/admin> foaf:member ?user .
       } LIMIT 1")
 
 (grant (read)
diff --git a/config/migrations/20241031103000-switch-relationship-user-groups.sparql b/config/migrations/20241031103000-switch-relationship-user-groups.sparql
new file mode 100644
index 0000000..08ebda5
--- /dev/null
+++ b/config/migrations/20241031103000-switch-relationship-user-groups.sparql
@@ -0,0 +1,17 @@
+PREFIX foaf: <http://xmlns.com/foaf/0.1/>
+DELETE {
+  GRAPH ?g {
+    ?person foaf:member ?userGroup .
+  }
+} 
+INSERT {
+  GRAPH ?g {
+    ?userGroup foaf:member ?person .
+  }
+} 
+WHERE {
+  GRAPH ?g {
+    ?userGroup a foaf:Group .
+    ?person foaf:member ?userGroup .
+  }
+}
\ No newline at end of file
diff --git a/config/resources/users.json b/config/resources/users.json
index 8dc1cb7..dce8988 100644
--- a/config/resources/users.json
+++ b/config/resources/users.json
@@ -30,7 +30,8 @@
         "user-groups": {
           "predicate": "foaf:member",
           "target": "user-group",
-          "cardinality": "many"
+          "cardinality": "many",
+          "inverse": true
         },
         "employee": {
           "predicate": "prov:alternateOf",
@@ -89,8 +90,7 @@
         "users": {
           "predicate": "foaf:member",
           "target": "user",
-          "cardinality": "many",
-          "inverse": true
+          "cardinality": "many"
         }
       },
       "features": [
diff --git a/docker-compose.yml b/docker-compose.yml
index ef814e9..88b63aa 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -96,7 +96,7 @@ services:
     labels:
       - "logging=true"
   msal-login:
-    image: rollvolet/msal-login-service:2.0.0
+    image: rollvolet/msal-login-service:3.0.0
     environment:
       AUTH_SCOPES: "User.Read Calendars.ReadWrite.Shared Files.ReadWrite.All"
       AUTH_REFRESH_TOKENS: "true"