apperently it seems the wordpress rest-api cannot work with restricted authorizations.

when i change the default Allow All Users / this:

to a restricting ad group and remove the All Users (obviously):

which creates this web.config:

<system.webServer>
    <security>
        <authorization>
            <remove users="*" roles="" verbs="" />
            <add accessType="Allow" roles="DOMAINTest-Group" />
        </authorization>
    </security>
</system.webServer>

all seems fine

at first glance,

but if we go to WP Site Health it reveals this errors:

so it seems the wp REST-Api cannot operate without anonymous / All Users access.

How can i fix this or am i missing something and need to adjust some settings?

thank you