First of all, we were able to figure out a working solution.
The elasticsearch logs weren't really helpful or maybe we checked at the wrong place.
We checked the Kibana Logs for the logins and while we got that missing permission notice, no login was logged into the kibana log.
The problem was solved though when we switched around 2 things:
- We changed the group claim in the Azure App from sAMAccountName to Group ID.
- We changed the Role Mapping to use the corresponding Group Object ID.
This solved our problem and at least from our point of view, it is an even better solution than using the clear name because the Object ID is unique while a clear name could be used again after deleting and re-adding the group.
We are still not 100% sure why the sAMAccountName didn't work though but as we have a working solution now, we are fine with it.
Just wanted to clarify if anyone finds this topic.