403 when trying to get resource group when provisioning new AKS cluster

It’s all in the subject.

Brand new installation of Rancher 2.x

Authentication to AKS works correctly, and I have pre-created a resource group for the target cluster.

When I attempt to complete the provisioning, I get the following:

-Thom

The service principal currently has the following permissions:

Directory.Read.All
Group.Read.All
User.Read
User.Read.All
User.ReadBasic.All

Which permissions need to be added in order for Rancher to be able to provision clusters? Why is this not in the documentation?

-Thom