By default if the SAML response from the external IDP does not pass any roles or the role claim has not been correctly mapped it will be provisioned to the internal/everyone role. Can you use a SAML tracer plugin for your browser and check if the roles are being passed from the Azure AD during the login via federation?