我不认为你在路过正确的处理令牌端点，你需要传递范围如下 -  对于默认范围传递 

scope = https ％3A％2F％2Fgraph.microsoft.com％2F 。默认
（ https://graph.microsoft.com/.default)

或者你知道范围你可以这样传递 -   

范围= HTTPS％3A％2F％2Fgraph.microsoft.com％2Fuser.read

I am trying to get user groups, I implement saml but it not return me the user groups.

I have:
Azure Ad directory:
Directory id = {directory id}

Enterprise application with saml authentication that works:

Application id = {enterprize app id}

Application in apps dot dev dot microsoft dot com/
Application id = {app id}
Client secret ={secret}





https login dot microsoftonline dot com/{directory id}/oauth2/authorize?client_id={enterprize app id}&response_type=code&redirect_uri={uri}&prompt=admin_consent


POST https login dot microsoftonline dot com/{directory id}f/oauth2/v2.0/token
Post fields:
grant_type=authorization_code
client_id={enterprize app id}
scope=https graph dot microsoft dot com/v1.0/me/memberOf
code=code from previous request
redirect_uri={enterpise app redirect uri}

Response:
AADSTS50000: There was an error issuing a token.

When I try with the {app id} and Client secret I get:

https dot login dot microsoftonlinedot com/{directory id}/oauth2/authorize?client_id={app id}&response_type=code&redirect_uri={uri}&prompt=admin_consent

POST https login dot microsoftonline dot com/{directory id}f/oauth2/v2.0/token
Post fields:
grant_type=authorization_code
client_id={app id}
scope=https graph dot microsoft dot com/v1.0/me/memberOf
code=code from previous request
redirect_uri={app redirect uri}
client_secret={secret}

Got the same error:
There was an error issuing a token.

I do not think you are passing the correct scope to token endpoint and you need to pass the scope like below - For default scope pass 

scope=https%3A%2F%2Fgraph.microsoft.com%2F.default (https://graph.microsoft.com/.default)

or if you know scopes you can pass like this -  

scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read