For photos, the SCIM spec has some gaps that don't allow for secure standardized implementations. This is something that Microsoft hopes to improve in the SCIM standard within the next year or two. For now, MS Graph calls are required.
For groups, the "groups" attribute on the SCIM user resource is readOnly. If your SCIM server has/can add support for the SCIM group resource type, group memberships can be managed via that. Azure AD's SCIM client will not send group memberships as a property on a user resource, however, as the spec doesn't support this.