I'm assuming you've created an Azure AD "Application" that you're using.
The trick is that you need to modify the "Manifest" for the application to allow you to query for groups.
There isn't a UI for this in the portal, you have to just download the manifest, make the change, then upload it. Clunky at best.
You want to find the key "GroupMembershipClaims" and set it to "SecurityGroup". If you set it to all then you'll get email groups as well. The problem here is that you get a list of all the users groups and all the groups those groups belong to. In a large company, that could be a lot!
You next have to call back to get the group info which means getting a token.
If you generated the MVC app in Visual Studio and told it you wanted to use Azure AD it sticks in much of the plumbing, but there is a bug in the template. When it tries to persist the tokens, it will always retrieve the first token in the list, not the most recent. That means your demo works today, but fails tomorrow...
You can search for info on the ADAL library for more info. I recommend reading Modern Authentication with Azure Active Directory for Web Applications by Vittorio Bertocci for real insights into how it all works.
