This article explains how to change the Active Directory app registration permissions, so Enterprise can sync correctly between the Active Directory and the App Service.
1) Access to the Azure Active Directory
2) Write permission to the AD App registration
Updating the API permissions
1) To be sure you update the correct AD App registration, locate the Azure AD Client ID in the App Service like this - usually called 'AzureADClientID':
2) Go to the Azure Active Directory, https://aad.portal.azure.com
3) Find the 'Azure Active Directory' section in your Favorites or in All Services.
4) Go to the 'App registrations' section and choose 'All applications'.
5) With the AzureADClientID, search the list and click on the item
6) Under the 'API permissions', add/update/delete the permissions needed
7) 'Grant admin consent' after the changes has been applied.