Azure AD SSO WebAdmin / API permissions


what API permissions do I need for the Azure AD app?

I have reduced it up to the following permissions, seems to work:

Would that be fine?

What I noticed so far:

- on every successful SSO, access_server will log: [OTP_AUTH]: (otp_handle_prepare_authentication_request): Password is NULL

- after logging out and logging in again, identity provider and XG will sometimes re-use the UPN of the previous login. I find that odd, I would expect the Azure AD login page to appear again. This happens sporadically, also. Might be browser or cookie issue, they should be deleted upon logout. I do not have the same issue with other applications set up on Azure AD identity provider.

Apart from that, looks good so far.

Kind regards,