Making an account not allowed to login via OIDC / SSO if assigned to more than one Azure Directory Group (Role)

Hey! I am using the OIDC module to make users login via their Microsoft identification. And to their account I have connected them to an Azure Directory Group depending on what role in the application they will have (for example Admin, Cashier and Boss). This is working fine!   However I want to implement that if a user is having more than one role assigned to him I want the user not to be able to login (for example he is assigned the role Boss and Cashier). I also want the user to then reach a page and get the information why he can’t proceed to login to the application.   I have tried making a count on their list of user roles and if it is more than one I am returning an empty account object instead of letting them login via their Microsoft account. However this is not a neat solution since the app is just crashing for them.  Is there a fallback page from the OIDC module I could use or simply create one myself and put in a microflow that the user could reach instead? 
1 answers

Hi Benjamin,


Select the current user's roles:


Count the list:


Do something like:


For the Java Action details look here:


Go Make It