Our Azure AD configuration documentation currently recommends a Directory.read.all permission from the Azure side: Configuring Azure Active Directory

Many customer's security teams find this to be too relaxed of a permission.

Can the Crowd dev team determine if a more secure permission set is possible?

We have had this permission set recommended from one customer's Azure team: