I'm developing an ASP.NET MVC application and using Azure AD for single sign on. I'm at a point where I'm looking at how to handle user roles for authorization. I understand that I can create roles or groups from inside the Azure portal, but everything I've read seems to suggest that the only way to add or remove people to those groups or roles is from within the portal. But we don't want to be in a situation where our developer group is handling role/permission assignments for this application's users.
What I really want is some sort of interface within the application where an Admin can select an AD user, select one (or more) of the application's roles, and add the user into those roles.
Is there a way to pull a list of available application roles from Azure AD, then send back which of those roles should get attached to a user? Most of the documentation I've seen seems to assume that you have a pre-defined list of users that you manage through the portal.
Should I be using separate tables in ASP.NET Identity? I had hoped Azure AD integration would allow me to skip having a database user store.
