Many have been looking forward to the built-in support for Federated Security in EPiServer which is currently Beta released. In a recent case there was no time to wait and I came up with a workaround that could be used in older EPi versions as well.
UPDATE: I would now accomplish this using something like this OIDC client from scratch example.
Here's me asking about federated login at EPiServer World and I'd also setup a working instance of the mentioned AzureAdSamples' WebApp-OpenIDConnect-DotNet MVC app quite some time ago.
In the case in question there were no problems managing roles locally. They just wanted a way of utilizing a user's Azure login to get inside the EPiServer intranet in question.
I added some simple redirects and a shared data layer and got this "bridge" type of concept working between EPi and the MVC app.
Here's a sketchy sketch of how it ended up.