Describe the bug
We are using the latest win-acme (v2.2.4.1500) version and try to renew a certificate for azure dns using a managed identy:

--validation azure --azureusemsi --azuresubscriptionid x --azureresourcegroupname x --azurehostedzone x

The managed identy does have DNS Zone Contributor rights on the Azure DNS Zone ... but not on the Resource Group. When we try to renew certificate we get:

Azure.RequestFailedException: The client 'XXXXXXXX-XXXX-XXXXX-XXXXX-XXXXXXXXXXXX' with object id 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope '/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourcegroups/XXXXXX' or the scope is invalid. If access was recently granted, please refresh your credentials. Status: 403 (Forbidden) ErrorCode: AuthorizationFailed
so it seems win-acme tries to scan the resource group for the specific dns zone, even when we give the name of the zone.
So we gave the identy reader rights on the resource group and then it works.

Expected behavior
win-acme should be able to handle certificates when only having the correct rights on the azure dns hosted zone without permissions on the resource group.