what API permissions do I need for the Azure AD app?
I have reduced it up to the following permissions, seems to work:
Would that be fine?
What I noticed so far:
- on every successful SSO, access_server will log: [OTP_AUTH]: (otp_handle_prepare_authentication_request): Password is NULL
- after logging out and logging in again, identity provider and XG will sometimes re-use the UPN of the previous login. I find that odd, I would expect the Azure AD login page to appear again. This happens sporadically, also. Might be browser or cookie issue, they should be deleted upon logout. I do not have the same issue with other applications set up on Azure AD identity provider.
Apart from that, looks good so far.