Sorry, forgot to mention.
Already done this.
Here is my sssd.conf
[sssd]
domains = AD.DOMAIN.EXAMPLE
config_file_version = 2
services = nss, pam, sudo
[domain/AD.DOMAIN.EXAMPLE]
ad_domain = AD.DOMAIN.EXAMPLE
krb5_realm = AD.DOMAIN.EXAMPLE
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /opt/home/%u
access_provider = simple
ad_enable_dns_sites = false
ad_server = AD.DOMAIN.EXAMPLE
krb5_server = AD.DOMAIN.EXAMPLE
simple_allow_groups = Developers @AD.DOMAIN.EXAMPLE
debug_level = 9
[sudo]