Azure AD and Authorization on self Developed Applications

Question

I have read the documentation on Microsoft.com and have only got answers about giving Applications authorization to talk to eachother but not how to implement a permission system on each different application that I have. I basically want to know what the best practices are to implement Authorization on my .Net API and Angular Client. I would use Azure AD to redirect external and internal users to the Microsoft Sign-In Page, I am missing a fine grained Permission system to authorise users to access different Resources on the API or on the Angular Web Application. Wo I have to set up a DB for my API with permissions? How do I add new users to my DB after registering them to my AD?

Im really confused here, so my questions aren´t really as clear as I wish I could write them.

Answer 1

Compiling comments to a proper answer:

Per-user permissions are limited to appRoles, roles that you can give in Azure AD to users. You can also use security groups to achieve a similar thing if you want. But anything finer-grained has to be implemented on the app side.

For identifying users you can use one of two claims in the user Id token / access token. oid or sub. The oid is the unique immutable object id in Azure AD. The sub claim is a unique immutable id within your app. So every app gets the same oid, but a different sub for the same user. The oid claim is also used when calling e.g. MS Graph API to identify the user.