An app must be registered via the Azure Portal > app registrations. The app needs to have the application (type application) API permissions "Group.Read.All" and "User.Read.All". In addition, application permissions can only be consented by an administrator. Thus, the administrator approval in the permission configuration is required.
The following fields need to be configured to establish the connection (hint: tenant identifier to be found in Azure portal > properties):
In the user tab, it can be decided to use 'mail' or 'userPrincipalName' as the users' identifier:
The rest of the config works exactly as you know it from configuring a user sync e.g. via LDAP.