API token scopes required for reading user details from Jira REST API

Hello all,

I have an automation which sends the web request

/rest/api/2/user/search?query={{issue.customfield_12345.urlEncode}}

where {{issue.customfield.12345.urlEncode}} is an email address field. This works perfectly fine when using a testing account with a full access API token and returns results exactly as intended. I want to use a Atlassian Service account where API keys must be created with scopes, however I cannot get this API call to work when using an Atlassian Service account with the scopes listed in the Atlassian REST API documentation:

https://developer.atlassian.com/cloud/jira/platform/rest/v2/api-group-user-search/#api-rest-api-2-user-search-get 

Permissions required: Browse users and groups global permission

Anonymous calls or calls by users without the required permission return empty search results.

Scopes

OAuth 2.0 scopes required:

Classic RECOMMENDED:read:jira-user

Granular: read:user:jira, read:user.property:jira, read:application-role:jira, read:avatar:jira, read:group:jira

I have confirmed that:

• The service account has access to the Jira application
• It is in a group which has the Browse users and groups global permission
• It has all the above listed scopes in the API key
• The call appears to be authenticating correctly (the key updates the 'last used' whenever I run the automation
• I get a 200 status back from the API call

Unfortunately it simply doesn't return any results, which suggests that the permissions are somehow not correct. 

If I change the only the Authorization header to use the known working test account API key, it works fine and returns results, but when I change it to the Service account key, it fails. I've even tried other permutations of scopes and app access but nothing appears to work.

Any ideas greatly appreciated!