Currently user synchronization is the only way to synchronize roles. You can replace all roles for a user when doing a sync, but for that to work it requires you define every role for every user. Nearly all of my sites have internal staff that I want to login with O365, but also external customers that cannot. This greatly limits options to sync users and roles with the current plugin options.
I would like an option to configure a role sync that is designed only to update that role. Any users not assigned to that role should be removed from that role and any users included should get the role added. User creation can be handled through a separate sync job.