Users successfully accessing internet sites via Cloud SWG using proxy Forwarding access method.

All corporate users have access to Microsoft Whiteboard, and access it though the Cloud Proxy.

A handful of users have problems accessing the Microsoft whiteboard application where a message about loading board content is displayed. Users can actually create a new whiteboard, but the problem occurs when they try to go back into it, as it seems to be stuck on loading as shown below:

Looking at the logs for a user that had an issue, no block or access denied verdicts are reported in relation to whiteboard.office.com. 

Tested with SSL interception disabled and enabled, without any difference.

Cloud SWG.

Microsoft Whiteboard.

Access token presented to whiteboard didn't have required permissions.

Added problem users to correct groups on Whiteboard setup.

Gathering a working and non working HAR file required to identify issue.

Main difference between a working and non working user is that, when it fails, user POSTs a bearer token but the back end claims it does not have the right permissions for the action ..
 
POST https://xxxxxxx-my.sharepoint.com/_api/v2.1/drives/#######/opStream/joinSession?ump=1 HTTP/2.0
content-length: 2790
content-type: multipart/form-data;boundary=3de31d0d-9f90-4e99-8831-da8c92b7c522
origin: https://whiteboard.office.com
:
Host: xxxxxx-my.sharepoint.com
Authorization: Bearer #####
 

HTTP/2.0 401 Unauthorized
access-control-allow-origin: *
content-length: 187
content-type: application/json
server: Microsoft-IIS/10.0

{"error":{"code":"unauthenticated","innerError":{"code":"authChallengeRequired"},"message":"Due to organizational policies, you can't access these resources from this network location."}}

The token is a JWT token and includes key information about the user and roles. Comparing the JWT tokens from working and non working identified some missing roles, and adding the problem users to additional Azure groups gave the permissions/roles to view all whiteboards.