An app must be registered via the Azure Portal > app registrations. The app needs to have the application (type application) API permissions "Group.Read.All" and "User.Read.All". In addition, application permissions can only be consented by an administrator. Thus, the administrator approval in the permission configuration is required.
Within COYO, the configuration is very similar to the LDAP protocol. Under the administration, you choose the tab "User directories" and select "Microsoft Graph" for type.
The following fields need to be configured to establish the connection. The tenant identifier can be found in Azure portal > Properties:
In the tab "User", it can be decided to use "mail" or "userPrincipalName" as the users' identifier:
To filter users and groups you can use Microsoft Graph filters.
Filter all users whose email address ends in '@coyo4.com':
Filter all groups starting with 'COYO_'.
To write and test your own filters, Microsoft Graph Explorer is recommended.
The rest of the config works exactly as you know it from configuring your user sync e.g. via LDAP-protocol.