Roles and groups
You can map roles and groups to users. The firewall uses the role and group values to identify users and authenticates only those with the application roles or groups configured for the firewall. Roles only apply to administrators.
In Azure, you create an application for the firewall, create application roles and groups, and assign users to the application.
Dynamic role update
The firewall automatically changes a regular user to an administrator to match a role change you make in Microsoft Entra ID, but it doesn't change an administrator to a regular user.
To change an administrator to a regular user, you must delete that administrator from the firewall and change their role to a regular user in Microsoft Entra ID. Once the user signs in, the firewall creates a regular user.