AD (Azure hybrid) on-prem user source SWITCHED to AZURE

I have followed  TID7025035  "ZSD LDAP User Source or Domain Move Process"  and the TEST of the connection passed and filter passed --- but groups cannot be found. 

 

Permissions (GRAPH) set for the azure app: User.Read.All, Group.Read.All Group.ReadWrite.All
I was wondering if HYBRID mode is causing the issue ie. our groups can only be modified using ADUC On-Prem? but then created the AZ-xxZSD  groups in AZURE. Still cant be found.

OR is it seeing the leftover OU=ServiceDesk ??   and account = 309. This doesn't match the amount from our previous sync so it it getting that from AZURE ?

We created a new connection and tested it with the same results.  

LOGIN:  we get the 'Login with Azure', get the microsoft login and appears to go thru.

Then we get the ZSD portal login box with: Login failed.Parameters received from the provider are not valid. {0}

OR  try login with our network ID  ie. zen    and get 'Incorrect username or Password'

We can no longer login to the portals EXCEPT with the builtin admin account. We aren't sure how to proceed

Help much appreciated!!