Thanks for the reply Jeff. Yeh that appears to be the case for 99% of users as well 
groups just works.
For our app registration I am just using:
- GroupMember.Read.All
- profile
I did have the other 2 that you have when testing and trying to get the group one working but it didnt make a difference.
One difference I have that I think may different from others is I’m using UPN as the claim not email.