Hello @bdiddy . There's no way to associate or control both of them in Azure AD but you can do it in your application. EG: if an user with employee role token contains Admin only scopes then you could deny authorization.
Let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.