Hi, As per the documentation https://github.com/hkamel/sonar-auth-aad/wiki/Group-Sync to enable group sync we need to allow "Directory.AccessAsUser.All" for the application under the API permissions in AAD. Our Active directory architecture board is bit hesitant on allowing such permission as it has more privilege's than just reading groups and underlying members.
So is "Directory.Read.All" permission would be sufficient to enable Group sync feature of AAD plugin?

Also do we need to configure the plugin with Client ID and Client Secret in order to have group sync in place?

I've just configured mine and Directory.Read.All looks like it's sufficient. And yes you need ID and Secret otherwise the application has no way to authenticate to AzureAD

I know MS has updated permissions for some of these calls, so I'll do some testing as soon as I have time to determine the best/lowest permissions for the calls we make.

For reference, we're using the /user/{id}/transitiveMemberOf call, which is documented along with needed permissions at https://docs.microsoft.com/en-us/graph/api/user-list-transitivememberof