you have two approaches.
- use a on-prem oauth server that uses ldap to connect to your local AD. this is you single sign option. identity server used to be used for this, but now its a paid option: https://duendesoftware.com/products/identityserver
- use windows authentication. configure as you would for aps.net core, and the principal and claims will be passed to the Blazor app. you can use AD calls and custom claims to control the claims.
as all the claims go into a cookie, beware of the number of claims you add. It is a good idea to filter the claims to just the ones used by the app.