I have implemented an Azure B2C Authentication solution using PKCE but now want to hook this up to an authorisation service similar to roles in the MS Identity Server model.
Do you need to "roll your own" solution? For example; once a user is authenticated I need to determine if they have administrator privileges, read/write or read only access. Scopes don't support this level of granularity.
Yes. We need to roll our own solution.
There is no Out-of-the-box AAD B2C solution that gets the Group / Directory role information.
We can get Group claims in B2C using custom code through custom (IEF) policies. We can take advantage of REST API claims Integration and Microsoft Graph. Add a new claim type 'groups' into the custom policy and call the Microsoft Graph to get user's groups. Here is an example for your reference.
If you are using user flow, you can consider custom attribute. For example, create a custom attribute named AADRole. Assign the real AAD role as the value to different user and then get the claim from id token after B2C users sign in. Refer to this answer for more details.
