URL

See a full list of available API endpoints of Azure here
In this example we want a list of all users

https://graph.microsoft.com/v1.0/users
CODE

Endpoints

Endpoints are service specific URLs for receiving an access token. Auth & Token URLs are required for all services. Only some services have a dedicated revoke endpoint. Azure AD does not have one so the field can be left empty.

Auth & Token Endpoints:

Auth Url: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
Token Url: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Revoke Url: 
CODE

The Callback URL is a readonly field. You need to add this url to your list of Authorized redirect URIs at your remote service configuration.

Scopes

Scopes define the permission to specific parts of data.
In this example we want to access the users resource so we add the User.Read.All scope to the list. Keep in mind that the User.Read.All permission needs an admins consent so you might have to login with an admin account or grant access from the remote service configuration. No matter which resource you want to access always add offline_access to the scope list. This scope is needed to receive a refresh token from Azure due to the very short living access tokens.

User.Read.All offline_access
CODE

You can find a complete list of available Azure AD permissions here

Authenticate

Now you can trigger the process by clicking Authenticate. This will open a new window with the service login. If you need admin permission make sure the account you use to login has the right permissions. After logging in you need to consent to the scopes you defined earlier. The window will close again and the a green badge Authenticated should appear right below the button.
Now save & test the data source to make sure everything is working as expected.