Currently user synchronization is the only way to synchronize roles. You can replace all roles for a user when doing a sync, but for that to work it requires you define every role for every user. Nearly all of my sites have internal staff that I want to login with O365, but also external customers that cannot. This greatly limits options to sync users and roles with the current plugin options.
I would like an option to configure a role sync that is designed only to update that role. Any users not assigned to that role should be removed from that role and any users included should get the role added. User creation can be handled through a separate sync job.
I have declined this idea, because I believe that it would be possible to achieve the desired outcome, by creating a hierarchy of Azure AD groups. In this case one could select users from group A where group A has members from (nested) group A1, A2 and A3 and then re-assign a user from group A1 to A2 (instead of only having a group A and removing the user from group A). In WPO365 you configure different mappings for the groups A1, A2 and A3. That way you do indeed define a role for every users (that is in group A that aggregates A1, A2 and A3) but it doesn’t take a lot of effort to accomplish that.