We had a similar need recently, and ended up using Microsoft Office 365 auto-provisioning feature in GWS to sync users into Azure Entra ID, same as you, both creation and deletion are supported out of the box.

The only caveat, as you found, is that it only sync users, not the groups they belong to. So you would need to create the security groups on Azure first, and then after having the GWS users synced into Entra ID directory, use another method to assign users to groups.

We approeached this with SDK/APIs, built a python script that reads GWS groups to see which members/owners they have using google SDK, and then using Graph API through a service principal in Azure with the right permissions (Directory readwrite all,etc) assign those users to the same groups in Entra ID they were in GWS. This took a bit of time but works.