docs(azure-devops): Add minimum OAuth permissions guidance

baton/azure-devops.mdx

@@ -2,7 +2,7 @@
 title: "Set up an Azure DevOps connector"
 og:title: "Set up an Azure DevOps connector"
 description: "ConductorOne provides identity governance and just-in-time provisioning for Microsoft Azure DevOps. Integrate your Azure DevOps instance with ConductorOne to run user access reviews (UARs) and enable just-in-time access requests."
 og:description: "ConductorOne provides identity governance and just-in-time provisioning for Microsoft Azure DevOps. Integrate your Azure DevOps instance with ConductorOne to run user access reviews (UARs) and enable just-in-time access requests."
 sidebarTitle: "Microsoft Azure DevOps"
 ---
 
@@ -18,7 +18,7 @@
 
 The Azure DevOps connector supports [automatic account provisioning](/product/admin/account-provisioning).
 
 This connector does not support account deprovisioning. You must deprovision accounts directly in Azure DevOps.
 
 ## Gather Azure DevOps credentials
 
@@ -58,11 +58,18 @@
   Finally, click **API permissions** and select **Azure DevOps**.
   </Step>
   <Step>
-  Give the app the following permissions:
-    - user\_impersonation (Azure DevOps only allows delegated permissions)
+  Give the app the following permissions based on your needs:
+
+    **For sync-only (read) access:**
+    - user\_impersonation (required - Azure DevOps only allows delegated permissions)
+    - vso.profile
+    - vso.graph
+
+    **For full provisioning (read/write) access:**
+    - user\_impersonation (required - Azure DevOps only allows delegated permissions)
+    - vso.profile
     - vso.graph\_manage
     - vso.memberentitlementmanagement\_write
-    - vso.profile
   </Step>
   <Step>
   Click **Add permissions**.