Group Sync Should Be Disabled When Multi-Tenant

[srvrguy]

Group sync in this plugin matches the group name on SonarQube to the the display name of the AAD group. If the plugin is enabled to allow a multi-tenant install and group sync is enabled, a malicious individual could potentially gain unauthorized access by adding themselves to a same-named group on their AD.

As an example, suppose a SonarQube server was configured in multi-tenant mode and group sync was enabled. If the option to allow users to sign up was left enabled, any person who discovered the SQ server could easily become an administrator by creating an Azure instance, creating an "sonar-administrators" group of which they are a member, and then signing into the SonarQube instance.

My thought is to completely disable group sync if the plugin is configured in multi-tenant mode. While the feature can be useful in certain specific circumstances, the potential for abuse outweighs those benefits, IMO.