For a completely flexible approach you can use rules to implement conditional logic that for all users that authenticated through AD an additional check is performed to ensure they belong to a certain group. You can then deny access based on that condition which means that even though the user can complete the Active Directory part of the authentication it will still not be able to access the client application unless he also meets the requirements of your custom rule.
You may also want to review if the authorization extension is something that would be relevant for your scenario.
In relation to SCIM, at this time, this is not supported, although I can inform you there’s been discussions around it. However, I can’t tell you if/when this would be available.