Service principle permissions for azuread

I’m trying to setup the service principle to use AzureAD as per

It notes:

NOTE: If you’re authenticating using a Service Principal then it must have permissions to Read directory data within the Windows Azure Active Directory API.

When I go into the AAD API permissions for the Service Principle, the option for Windows Azure Active Directory isn’t there.

I’ve tried using the Graph API permissions but as I was getting an error I decided to to an AZ login as the SP

when I do

az ad user list

I get

Insufficient privileges to complete the operation.

I presume this is a valid test?

How do I assign the API permissions as documented?

It looks like the documentation is out of date.

Is anyone able to help?