I have a PHP web application which is running on a server outside of the domain and I would like to be able to lock some of the administrative functionality down to members of certain groups in Active Directory, so access to the Finance section is limited to members of the 'Finance' group and so on. This seems like the kind of thing the Microsoft Identity Platform is designed for, but I can't see an easy way to get a simple "user is a member of group X" type of response, rather than an all-round sign-in process. If I needed to do a sign-in -> group membership check approach that would be fine and I'm very happy to send the user through an OAuth round-trip to sign in to their Windows account and verify they're happy to share data with the app.
I think part of the problem here is that not having dealt with this part of Windows for a little while, I don't know what to search for to find useful documentation.
Is there a simple way to send a request to an organisation's Active Directory asking "is this user a member of {group}" and get a response confirming or denying it?
You can call Microsoft Graph API: List memberOf to check groups and directory roles that the user is a direct member of.
GET https://graph.microsoft.com/v1.0/users/{id}/memberOf
You need to get an Microsoft Graph access token to call Microsoft Graph API.
And there is another easier way to authorize a User based on AD group membership. Just include groupMembershipClaims claim in your token and check it after you sign in. See this answer for more details.