I'd probably look at a transactional webhook on the login success event. That code can examine the user, call out to AD if needed, and if it returns a non-2xx status, will prevent login.
More here: https://fusionauth.io/docs/v1/tech/events-webhooks/
D