To authorise the synchronisation with Microsoft 365, you will need an Azure account with one of the following roles:

Any of these roles can be used for Delegated Permissions authentication but only Global Administrator can be used with Application Permissions authentication.

Application Permissions authentication requires an account that can grant tenant-wide admin consent for an AD Enterprise Application. This combined with the MS Graph API permissions required by the sync mean that this authentication option requires an account with Global Administrator role.

Delegated Permissions authentication will work as long as the token we hold for the delegated user is valid. That token will be invalidated if that user is removed, changes their password or enables MFA. It is also possible for it to expire after a period of time. This means you may need to re-authenticate the sync integration from time to time. For these reasons we recommend using Application Permissions authentication particularly if you intend to use the automatic sync or frequently run a manual sync. However we understand that it is not always possible or justifiable to use a Global Administrator account which is why we offer the Delegated Permissions option.