Integrating XG with Active Directory, what AD rights does service account need?

Basically it depends on the services, you want to use.

XG will query via LDAP (AD) to the AD server and ask, if the credentials are correct. 

https://serverfault.com/questions/911240/query-ad-users-and-security-groups-permission

https://serverfault.com/questions/167371/what-permissions-are-required-for-enumerating-users-groups-in-active-directory

I am not quite sure, which roles are the perfect match (i am not a microsoft administrator...) but if you take a look at the dumps, you see, that XG will try to authenticate the user and try to get all information by AD to create users etc. 

Maybe you could perform a try and error method to find the proper group and share the results with us. 

You can perform a tcpdump and look into the LDAP conversation between XG and AD. 

https://community.sophos.com/products/xg-firewall/f/staff-picks/114837/how-to-tcpdump

The service I want to use is authenticating users for User Portal and SSL VPN against ACtive Directory.

I am using Account Operators for now because it works and it's not as privileged as Domain Admin.

Does anyone have any ideas or know for sure any other security groups which can be used instead, ideally with least privilege to perform the above mentioned authentication?

I don't know the exact permissions but I know how to find out.

Run Procmon with no permissions and then start adding everything that gets an access denied for the ldap connection until authentication works again. This will take some time and effort to get perfect and may stop working if Microsoft changes something on their end. 

I don't know the exact permissions but I know how to find out.

Run Procmon with no permissions and then start adding everything that gets an access denied for the ldap connection until authentication works again. This will take some time and effort to get perfect and may stop working if Microsoft changes something on their end.