Not an answer to your question, but if you are considering a change on the Azure side, Azure has a feature that can connect Roles to Groups.
Use Microsoft Entra groups to manage role assignments - Microsoft Entra ID | Microsoft Learn
Setting things up that way allows group membership to grant roles. Doing this does ‘lock’ the group membership changes to a higher privileged role (GA and Privileged Role Admin).
Once groups are used to manage roles, I think the standard methods for group membership management should work in SP (granted that the service principal SP is using has the proper permissions in Azure).
As a sidenote, once you do get this connected, are you planning on somehow dealing with all of the replica entitlements (groups) that come from on premise AD? These replicated groups will come into IDN (via account aggregation) even if you are using entitlement filters in the source configuration.
I didn’t understand this at first, and posted here about it: IDN: Source Entitlement filtering only sometimes works? - IdentityNow (IDN) / IDN Discussion and Questions - SailPoint Developer Community Forum
We are slow to implement the AAD connector because we have a significant number of ‘replica’/synchronized entitlements (groups) from on premise AD (~3500) and these replicas clutter up search/certifications/access history with extra needless data.