I'm waiting on a response on using Active Directory in this way too - Run_as coupled with active directory auth
If it helps, I was able to use the LDAP realm to achieve exactly this, but not the AD realm - ES runs the query as the user I authenticate to Active Directory as, ad_use. e.g.
curl -H "es-security-runas-user: borisTheBlade" -u ad_user -XGET 'http://localhost:9200/'
The ES logs indicate that the groups retrieved from AD are the those in which the ad_user resides in, and not the borisTheBlade user.
And the reason why I need to use the AD realm anyway is because of a deeply nested AD group structure, which the LDAP realm does not support, as per the doc, but AD does.