auth/entra: remove fine-grained permissions

Author: tronghn

docs/auth/entra-id/reference/README.md

@@ -15,121 +15,6 @@ conditional: [tenant, nav]
 
 {% include 'auth/entra-id/partials/user-access.md' %}
 
-### Fine-grained permissions
-
-You may define custom permissions for your application in Entra ID and grant them to other consumer applications.
-Permissions will appear as _claims_ in the consumer's token.
-Your application can then use these claims to implement custom authorization logic.
-
-!!! warning
-
-    Custom permissions only apply in the context of _your own application_.
-    They are _not_ global permissions.
-    
-    All the following conditions must be met for the custom permission to appear:
-    
-    1. The token is acquired by a consumer of your application.
-    2. The consumer has been granted a custom permission in your access policy definition.
-    3. The target _audience_ is your application.
-
-#### Custom scopes
-
-A _scope_ only applies to tokens acquired [on behalf of an employee][obo].
-
-Applications defined in the access policy are always assigned the default scope named `defaultaccess`.
-
-```yaml hl_lines="8-10" title="Example configuration"
-spec:
-  accessPolicy:
-    inbound:
-      rules:
-        - application: app-a
-          namespace: other-namespace
-          cluster: other-cluster
-          permissions:
-            scopes:
-              - "custom-scope"
-```
-
-The above configuration grants the application `app-a` the scope `custom-scope`.
-
-Scopes will appear as a _space separated string_ in the `scp` claim within the user's token.
-
-??? example "Example decoded on-behalf-of token (click to expand)"
-
-    ```json hl_lines="17"
-    {
-      "aud": "8a5...",
-      "iss": "https://login.microsoftonline.com/.../v2.0",
-      "iat": 1624957183,
-      "nbf": 1624957183,
-      "exp": 1624961081,
-      "aio": "AXQ...",
-      "azp": "e37...",
-      "azpacr": "1",
-      "groups": [
-        "2d7..."
-      ],
-      "name": "Navnesen, Navn",
-      "oid": "15c...",
-      "preferred_username": "[email protected]",
-      "rh": "0.AS...",
-      "scp": "custom-scope defaultaccess",
-      "sub": "6OC...",
-      "tid": "623...",
-      "uti": "i03...",
-      "ver": "2.0"
-    }
-    ```
-
-#### Custom roles
-
-A _role_ only applies to tokens acquired [as an application][m2m] (machine-to-machine calls).
-
-Applications defined in the access policy are always assigned the default role named `access_as_application`.
-
-```yaml hl_lines="8-10" title="Example configuration"
-spec:
-  accessPolicy:
-    inbound:
-      rules:
-        - application: app-a
-          namespace: other-namespace
-          cluster: other-cluster
-          permissions:
-            roles:
-              - "custom-role"
-```
-
-The above configuration grants the application `app-a` the role `custom-role`.
-
-Roles will appear in the `roles` claim as an _array of strings_ within the application's token.
-
-??? example "Example decoded client credentials token (click to expand)"
-
-    ```json hl_lines="12-15"
-    {
-      "aud": "8a5...",
-      "iss": "https://login.microsoftonline.com/.../v2.0",
-      "iat": 1624957347,
-      "nbf": 1624957347,
-      "exp": 1624961247,
-      "aio": "E2Z...",
-      "azp": "e37...",
-      "azpacr": "1",
-      "oid": "933...",
-      "rh": "0.AS...",
-      "roles": [
-        "access_as_application",
-        "custom-role"
-      ],
-      "sub": "933...",
-      "tid": "623...",
-      "uti": "kbG...",
-      "ver": "2.0"
-    }
-    ```
-
 ## Claims
 
 Notable claims in tokens from Entra ID.