diff --git a/content/for-administrators/secure-your-cluster/azure-gco-app.md b/content/for-administrators/secure-your-cluster/azure-gco-app.md
new file mode 100644
index 00000000..66af1892
--- /dev/null
+++ b/content/for-administrators/secure-your-cluster/azure-gco-app.md
@@ -0,0 +1,25 @@
+# Configuring Azure AD Group Sync Application
+
+1. To enable sync groups from Azure AD (Microsoft's) account to Stakater Cloud you first have to register an application on Azure. Go to the <https://portal.azure.com>
+1. Open `Azure Active Directory` service
+1. On the tab on the left under Manage section click `App Registrations`
+1. Click on `New Registration`. Use `group-sync` under Name and click `Register`
+![Azure AD](images/azure-ad.png)
+1. The GroupSync job requires permissions on the Azure AD tenant in addition to the default ones. For it to work, add the these entries under the ‘API Permissions’ menu item.:
+
+- `Group.Read.All`
+- `GroupMember.Read.All`
+- `User.Read.All`
+
+![Azure App API Permissions](images/azure-permissions-group-sync.png)
+
+1. Click on the Newly created app `group-sync`. Click `Certificates & secrets` from the left tab. Click `New Client Secret`. Under `Expires` pick any option. Under `Description` put *saap-group-sync* and click `Add`
+![Certificates and Secrets](images/azure-ad-certificates-secrets.png)
+1. Copy the value of the newly created client secret and take note of the `Application (client) ID` and `Directory (tenant) ID` of the `group-sync` app registration from the `Overview` tab. **Send this to Stakater Support**
+![Client-Tenant-ID](images/azure-ad-clientid-tenantid.png)
+
+## Items to be provided to Stakater Support
+
+- `Application (client) ID`
+- `Directory (tenant) ID`
+- `client Secret`
diff --git a/content/for-administrators/secure-your-cluster/azure-idp.md b/content/for-administrators/secure-your-cluster/azure-idp.md
index eab732b0..00edfdf1 100644
--- a/content/for-administrators/secure-your-cluster/azure-idp.md
+++ b/content/for-administrators/secure-your-cluster/azure-idp.md
@@ -5,9 +5,10 @@
 1. On the tab on the left under Manage section click `App Registrations`
 1. Click on `New Registration`. Use `saap` under Name. Under Redirect URI section Choose `Web` and enter the Redirect URI (**This will be provided by Stakater Support**) and click `Register`
 ![Azure AD](images/azure-ad.png)
+1. Go to "API permissions" and add the required Microsoft Graph API permissions. Typically, you need `User.Read` and `openid`, `profile`, and `email` permissions.
 1. Click on the Newly created app `saap`. Click `Certificates & secrets` from the left tab. Click `New Client Secret`. Under `Expires` pick any option. Under `Description` put *saap oidc* and click `Add`
 ![Certificates and Secrets](images/azure-ad-certificates-secrets.png)
-1. Copy the value of the newly client secret and take note of the `Application (client) ID` and `Directory (tenant) ID` of the `saap` from the Overview section. **Send this to Stakater Support**
+1. Copy the value of the newly client secret and take note of the `Application (client) ID` and `Directory (tenant) ID` of the `saap` app registration from the `Overview` tab. **Send this to Stakater Support**
 ![Client-Tenant-ID](images/azure-ad-clientid-tenantid.png)
 
 ## Items provided by Stakater Support
diff --git a/content/for-administrators/secure-your-cluster/images/azure-ad-clientid-tenantid.png b/content/for-administrators/secure-your-cluster/images/azure-ad-clientid-tenantid.png
index 733000d9..0d4b5ce9 100644
Binary files a/content/for-administrators/secure-your-cluster/images/azure-ad-clientid-tenantid.png and b/content/for-administrators/secure-your-cluster/images/azure-ad-clientid-tenantid.png differ
diff --git a/content/for-administrators/secure-your-cluster/images/azure-permissions-group-sync.png b/content/for-administrators/secure-your-cluster/images/azure-permissions-group-sync.png
new file mode 100644
index 00000000..2104825c
Binary files /dev/null and b/content/for-administrators/secure-your-cluster/images/azure-permissions-group-sync.png differ
diff --git a/theme_override/mkdocs.yml b/theme_override/mkdocs.yml
index b5b8cf62..f6892585 100644
--- a/theme_override/mkdocs.yml
+++ b/theme_override/mkdocs.yml
@@ -60,6 +60,7 @@ nav:
           - for-administrators/secure-your-cluster/secure-routes.md
           - for-administrators/secure-your-cluster/google-idp.md
           - for-administrators/secure-your-cluster/azure-idp.md
+          - for-administrators/secure-your-cluster/azure-gco-app.md
           - for-administrators/secure-your-cluster/keycloak-idp.md
           - for-administrators/secure-your-cluster/saml-idp.md
           - for-administrators/secure-your-cluster/saap-authorization-roles.md