How to Control RBAC in AKHQ Using OIDC with Azure AD?

[medhunk]

We are integrating OIDC with Azure AD for SSO in AKHQ and want to control role-based access (RBAC) effectively. Our requirement is to provide read-only access to developers and admin access to the DevOps team.

We are currently facing some confusion about where and how to define the roles and groups:

Should we define roles and group mappings at the Azure AD application level and rely on Azure's group claims?
Or, should we define roles and group mappings explicitly in the AKHQ configuration under the akhq.security.roles and akhq.security.groups settings?

micronaut:
    security:
      enabled: true
      oauth2:
        enabled: true
        callback-uri: "xxx/oauth/callback/azure"
        clients:
          azure:
            client-id: "xx"
            client-secret: "xxx"
            scopes:
              - email
              - openid
            openid:
              issuer: "https://login.microsoftonline.com/xxx/v2.0"
    security:
      roles:
        topic-reader:
          - resources: [ "TOPIC", "TOPIC_DATA" ]
            actions: [ "READ" ]
          - resources: [ "TOPIC" ]
            actions: [ "READ_CONFIG" ]
        topic-writer:
          - resources: [ "TOPIC", "TOPIC_DATA" ]
            actions: [ "CREATE", "UPDATE" ]
          - resources: [ "TOPIC" ]
            actions: [ "ALTER_CONFIG" ]
      groups:
        topic-reader-group:
          - role: topic-reader
            clusters: ["xxx"]
        topic-writer-group:
          - role: topic-writer
            clusters: ["xxx"]
      oidc:
        enabled: true
        providers:
          azure:
            label: "Click here to Login as SSO"
            username-field: email
            groups-field: roles
            default-group: topic-reader
            groups:
              - name: topic-admin
                groups:
                  - topic-writer-group
              - name: topic-reader
                groups:
                  - topic-reader-group
            users:
              - username: "xxx"
                groups:
                  - topic-reader

Despite this setup, we’re noticing that controlling RBAC seems to depend on the Azure AD group assignments rather than being configurable entirely within AKHQ.

Questions:

1. Is it mandatory to configure RBAC at the Azure AD application level, or can AKHQ fully manage roles and groups defined in its own configuration?
2. How can we ensure that developers get read-only access while the DevOps team gets admin access without hardcoding group IDs across two platforms?
3. Are there any best practices for combining Azure AD and AKHQ configurations for RBAC?