Daniel Hutmacher has a new series on Availability Group synchronization, starting with logins:
You’ll need a linked server from your secondary replica to the primary replica. This linked server should feature the absolute bare-minimum of permissions, preferably with only the “be made using the login’s current security context” selected.
The account running the procedure (or the mapped login in the linked server) will need SELECT access to the following DMVs on the remote (primary) server:
master.sys.server_principals
master.sys.sql_logins
master.sys.server_role_members
master.sys.server_permissions
The code itself is a download from Daniel’s website; go check it out.