Hello Benjamin Mask,
Thanks for your question.
Based on the information you provided it may be as a result of Kubernetes RBAC roles rather than Azure RBAC.To check this you can run below and confirm it for the affected group:
kubectl get clusterrolebinding
See external doc here: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
Also, you can further confirm the RBAC roles using the documentation here:
https://learn.microsoft.com/en-us/azure/aks/manage-azure-rbac
Please let me know if you have further questions**
You can mark it 'Accept Answer' if this helped.