My Vue application uses Azure AD to authenticate users with msal library. Now only users with specific roles should have the possibility to log in. I saw an approach that needs to execute a request to Microsoft Graph API with directory.read.all permission to get logged in user's role and then determine if this user can proceed or not.
Is it possible to specify users' roles allowed to log in somewhere in AD and disallow other users to log in?
The way we solved this problem is by creating app specific roles (App Roles) and assign users to one or more of those roles.
Now when a user logs in, the app roles assigned to the user are available in the role claims. If we find that the user does not have any app roles assigned to them, we stop them from accessing the application.