Starting data gathering phase 1 of 2 (collecting objects)
Error 403 for URL https://graph.windows.net/xxxx-xxxx-xxxx-xxxx-xxxxxxxxxx/users?api-version=1.61-internal

Starting data gathering phase 2 of 2 (collecting properties and relationships)
....
ROADrecon gather executed in 11.47 seconds and issued 1896 HTTP requests.

Seems to complete and data in DB but reporting fails (Will open tickets for these)

Going to the URL provides the following error:

<error><code>Authentication_MissingOrMalformed</code><message xml:lang="en">Access Token missing or malformed.</message></error>

It is possible they disabled user enumeration via the AAD graph, are there other URLs that fail with 403 or is it only the users?

This is the only 403 error I saw. Got a lot of
"Non-existing child found on Groups All users:"
"Non-existing child found on Groups ..."
"Non-existing child found on Groups All Company"
"Non-existing child found on DirectoryRoles Global Administrator"
"Non-existing child found on Groups AAD DC Administrators"

And yes, user enumeration is disabled.

I don't think there is much we can do if user enumeration is blocked. Data will be incomplete and there will be quite some errors thrown of relationships that cannot be found afterwards.