The prod app-registration in Microsoft Entra ID only has the API Permission GroupMember.Read.All towards Graph API, so the backend is unable to request an obo-token successfully with the scope "Group.Read.All" in prod.
Solution
The solution is to set the scope to GroupMember.Read.All as this is the narrowest scope we need to access group information of the logged in user. I also added this scope on your local Entra ID tenant, so it should not break the local development experience.
Background
The prod app-registration in Microsoft Entra ID only has the API Permission
GroupMember.Read.All
towards Graph API, so the backend is unable to request an obo-token successfully with the scope "Group.Read.All" in prod.Solution
The solution is to set the scope to
GroupMember.Read.All
as this is the narrowest scope we need to access group information of the logged in user. I also added this scope on your local Entra ID tenant, so it should not break the local development experience.Resolves #issue-this-pr-resolves