https://support.sophos.com/support/s/article/KB-000042194?language=de
This shows Azure AD, not EntraID. The flow is a little different.
As a side note, this was not the correct document for me to review - In Central, under a customer's directory service to EntraID, the secret had expired, yet Sophos is prompting me to correct GraphAPI permissions. Instead, I created a new client secret and entered that into the customer's directory service configuration to address the issue. Not even sure how to give feedback on getting that corrected.