If you don’t want to provide granular permissions on each API, provide the following permissions on the entire directory to the client application created in Azure, which will enable the connector to perform read and write operations on users and groups (excluding deleting users and groups) :
This is the companion discussion topic for the documentation at https://documentation.sailpoint.com/connectors/saas/msentraid/help/saas_connectivity/microsoft_entra_id/administrator_permission.html