diff --git a/netbox/netbox/authentication.py b/netbox/netbox/authentication.py
index 61dfe2fdb..1e90abd2c 100644
--- a/netbox/netbox/authentication.py
+++ b/netbox/netbox/authentication.py
@@ -386,3 +386,40 @@ def user_default_groups_handler(backend, user, response, *args, **kwargs):
             user.groups.add(*group_list)
         else:
             logger.info(f"No valid group assignments for {user} - REMOTE_AUTH_DEFAULT_GROUPS may be incorrectly set?")
+
+
+class AuthFailed(Exception):
+    pass
+
+
+def azure_map_groups(response, user, backend, *args, **kwargs):
+    '''
+    Assign user to netbox group matching role
+    Also set is_superuser or is_staff for special roles 'superusers' and 'staff'
+    '''
+    print(f"response: {response}")
+    return
+    try:
+        roles = response['roles']
+    except KeyError:
+        user.groups.clear()
+        raise AuthFailed("No role assigned")
+
+    try:
+        user.is_superuser = False
+        user.is_staff = False
+
+        for role in roles:
+            if role == 'superusers':
+                user.is_superuser = True
+                user.save()
+                continue
+            if role == "staff":
+                user.is_staff = True
+                user.save()
+                continue
+
+            group, created = Group.objects.get_or_create(name=role)
+            group.user_set.add(user)
+    except Group.DoesNotExist:
+        pass
diff --git a/netbox/netbox/settings.py b/netbox/netbox/settings.py
index 7d2da2996..db426703c 100644
--- a/netbox/netbox/settings.py
+++ b/netbox/netbox/settings.py
@@ -553,6 +553,7 @@ SOCIAL_AUTH_PIPELINE = (
     'netbox.authentication.user_default_groups_handler',
     'social_core.pipeline.social_auth.load_extra_data',
     'social_core.pipeline.user.user_details',
+    'netbox.authentication.azure_map_groups',
 )
 
 # Load all SOCIAL_AUTH_* settings from the user configuration