Hiya - anyone who knows exactly what Azure API Permissions are required for getting Azure AD authentication working? The documentation states that

User.Read.All

and

GroupMember.Read.All

should be enough but this doesn't seem to be the case.

You'll probably need to refine what is and isn't working and where: going through Users & Authentication on the main Rancher page will set up some options, then there's the further refinement in RBAC for each cluster and, under the Cluster heading, there's the Cluster and Project Members to be played with to give specific groups specific access to specific projects (which is another reason for setting up projects even if they only include one namespace).

I'm asking only for the Azure API Permissions to set up the Auth Provider in this case - not further refining RBAC in clusters/projects at this point.