It's preferable to create a role which only capable of synchrinizing Sophos central and AD.
About AD Sync
If we consider security, we should use MFA to reduce the chances of a security breach,
but multi-factor authenticated users are not supported by AD sync.
And a user needs at least Administrator right to do sync AD.
It's preferable to create a role which only capable of synchronizing Sophos central and AD.
XG Fan commented
resolved through new dedicated api user sync: https://support.sophos.com/support/s/article/KB-000036778