Hi David,

In Azure AD → App Registrations → Token Configuration page, click on Add groups claim

Then choose the type of groups you want to include and in which token type (generally ID and access tokens).

With this you should see the groups claim (that lists the groups user belongs to) included in your access token.

The Group.Read.All and GroupMember.Read.All permissions allow you to read all groups and their members that are available in the entire Azure AD. This is not a regular permission and requires an administrator to grant consent. In most cases you don’t need this.

Hope this helps!