Beware that if you plan on using SAML for authorisation also, Azure SAML response includes only up to 150 groups per user. If your user belongs to more groups, none will be sent back by Azure. MS recommends to then fall back on querying the Graph API to get the relevant groups but Portal does not support that option.
Guillaume, thank you for that post - it's a real "gotcha"
I wonder if it is possible to have AAD filter the list of Groups returned to keep the number below 150?
there seems to be some hope this might be possible according to this post in a Microsoft forum. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-saml-is-it-possible-...