Provision to an Active Directory group if the user has access to an Application

Use case:
Add users to a specific Active Directory group if they get provisioned to a specific Application and remove them from it if they are de-provisioned. Each application will have a specific AD group. We want to do this for each application. Application A (could by any source type: JDBC, Web Services, AD, etc), add to AD group for Application A), Application B, add to AD group for Application B

This seems like a simple role, where if the user has an enabled account in the source, then use role criteria to add them to the Active Directory group.

However, it gets super complicated when we have a source with many applications. (Azure or Active Directory) We cannot use “enabled account” as our criteria, and some of our applications have 3k+ access profiles. We do not want to have to list every entitlement/access profile as an OR statement. This becomes unmanageable.

We do not currently own workflows, but this seems like a great way to accomplish this task.