An app must be registered via the Azure Portal > app registrations. The app needs to have the application (type application) API permissions "Group.Read.All" and "User.Read.All". In addition, application permissions can only be consented by an administrator. Thus, the administrator approval in the permission configuration is required. You can check this article on how to do give permissions for COYO.
Within COYO, the configuration is very similar to the LDAP protocol. Under the administration, you choose the tab "User directories" and select "Microsoft Graph" for type.
The following fields need to be configured to establish the connection. The tenant identifier can be found in Azure portal > Properties:
In the tab "User", it can be decided to use "mail" or "userPrincipalName" as the users' identifier:
To filter users and groups you can use Microsoft Graph filters.
Filter all groups starting with 'COYO_'.
To write and test your own filters, Microsoft Graph Explorer is recommended.
Some filter parameters do not work with the Graph API as you would expect. For example, the query function endsWith(mail,'@coyo4.com') does not work with the /users endpoint.
This is an issue on Microsoft side, which we unfortunately can't fix.
The rest of the config works exactly as you know it from configuring your user sync e.g. via LDAP-protocol.