It's a known issue that RBAC is not working with Kiali and AKS, even if AzureAD integration is turned on. It's mentioned in a note at the end of the "Requirements" section on Kiali's OpenID docs: https://kiali.io/documentation/latest/configuration/authentication/openid/#_requirements
. As mentioned in this page, the current workaround is to use kube-oidc-proxy (or something similar) to make mappings of AzureAD users/groups with regular Kubernetes ServiceAccounts.
I saw your messages on Slack -- sorry for not replying, I was doing some errands.
If you have some time to try the "access_token" approach, I can prepare a modified Kiali with some hard coded changes and see if authentication succeeds on Azure with RBAC turned on.
We may need several trials to find how to do the right communication with AzureAD/AKS... or... you know.... also iterate because of coding bugs.
If we can confirm that the "access_token" works, I will do the permanent changes that can be made available in the next Kiali release. I will need you to try the permanent changes.
Does this work for you? If so, I'll do the changes and let you know when you can try.