Description

External users might not be able to log in using Azure Active Directory (AD) after installing the hotfix, since their roles have been removed from the database. It affects only those roles that have been added manually.

Solution

As a solution:

1. Find in the Sitecore.Owin.Authentication.IdentityServer.config file (\App_Config\Sitecore\Owin.Authentication.IdentityServer\Sitecore.Owin.Authentication.IdentityServer.config).
2. Add the clearroleswhensignin parameter to the SitecoreIdentityServer node (or your custom Identity provider) and set its value to false :

   <identityProviders>
           <identityProvider id="SitecoreIdentityServer" type="Sitecore.Owin.Authentication.IdentityServer.IdentityServerProvider, Sitecore.Owin.Authentication.IdentityServer" resolve="true">
             <caption>Go to login</caption>
             <domain>sitecore</domain>
             <enabled>true</enabled>
             <triggerExternalSignOut>true</triggerExternalSignOut>
             <clearroleswhensignin>false</clearroleswhensignin>
             <transformations hint="list:AddTransformation">

   Note: if the "clearroleswhensignin" is set to "true", Sitecore will save roles in the database and overwrite them on every next login attempt.
   When the "clearroleswhensignin" is set to "false" the roles that come from claims transformations are stored only in the authentication cookie.