Question 1: Store Roles in Keycloak (Identity Broker) or in the OIDC provider (Microsoft)?

Keycloak is the identity broker, meaning it centralizes authentication and authorization for multiple providers.
Keycloak can map Microsoft roles dynamically, allowing more control over role assignment.
You can standardize role management across different identity providers (not just Microsoft).
Applications only need to integrate with Keycloak, not multiple identity sources.

The recommended approach is store ROLES in Keycloak, so all your application can connect to Keycloak and ROLES are centralized in Keycloak, instead of having the ROLES set in Microsoft, Google or Twitter.