I discovered these Examples which helped a lot.

We solved our issue by using App Roles and combining them with security groups in Microsoft Entra.

Then, in our Program.cs we replaced

builder.Services 
       .AddAuthentication(IISDefaults.AuthenticationScheme)

with

JwtSecurityTokenHandler.DefaultMapInboundClaims = false;

builder.Services
    .AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration);

builder.Services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
    options.TokenValidationParameters.RoleClaimType = "roles";
});