So, Short Version:

• Update the App Manifest to set the groupMembershipClaims property SecurityGroup
• Create a Policy. You can retrieve the Groups Object Id from the Azure Portal Azure Active Directory Blade under Groups.

    public static class HQAuthorizationPolicy
    {
        public static string Name => "HQ Users";

        public static void Build(AuthorizationPolicyBuilder builder) =>
            builder.RequireClaim("groups", "xxxxxxxx-xxxx-xxxxx-xxxx-xxxx26638fa6");
     }

Setup the Policy just before .AddMvc()

            services.AddAuthorization(options =>
            {
                options.AddPolicy(HQAuthorizationPolicy.Name, HQAuthorizationPolicy.Build);
            });
            services.AddMvc(options =>
            {
                var policy = new AuthorizationPolicyBuilder()
                    .RequireAuthenticatedUser()
                    .Build();
                options.Filters.Add(new AuthorizeFilter(policy));
            })
            .SetCompatibilityVersion(CompatibilityVersion.Version_2_1);

And now I can decorate the Controllers.

 [Authorize("HQ Users")]
 public class HomeController : Controller
    {
         ...

I ran into a problem though: If I attempt to access the page with a non-valid user, I get an AccessDenied error but the route to this URL is 404 missing.

https://localhost:5001/Account/AccessDenied?ReturnUrl=%2FHome%2FAbout

HTTP 404 error  
That’s odd... Microsoft Edge can’t find this page  

Accordring to this post, the tooling isn’t there yet, so I should manually add the following. Note that most seems to be implemented now. All that seems to be missing is the AccessDenied action and the AccessDenied View.

 public partial class AccountController : Controller
    {
        //[HttpGet]
        //public IActionResult SignIn()
        //{
        //    return Challenge(
        //        new AuthenticationProperties { RedirectUri = "/" }, OpenIdConnectDefaults.AuthenticationScheme);
        //}

        //[HttpGet]
        //public IActionResult SignOut()
        //{
        //    var callbackUrl = Url.Action(nameof(SignedOut), "Account", values: null, protocol: Request.Scheme);
        //    return SignOut(new AuthenticationProperties { RedirectUri = callbackUrl },
        //        CookieAuthenticationDefaults.AuthenticationScheme, OpenIdConnectDefaults.AuthenticationScheme);
        //}

        //[HttpGet]
        //public IActionResult SignedOut()
        //{
        //    if (HttpContext.User.Identity.IsAuthenticated)
        //    {
        //        return RedirectToAction(nameof(HomeController.Index), "Home");
        //    }

        //    return View();
        //}

        [HttpGet]
        public IActionResult AccessDenied()
        {
            return View();
        }
    }

AccessDenied.cshtml

@{
    ViewData["Title"] = "Access Denied";
}

<header>  
    <h1 class="text-danger">Access Denied.</h1>
    <p class="text-danger">You do not have access to this resource.</p>
</header>

References

• Authorization in a web app using Azure AD application roles & role claims
• Role Based Authorization in ASP.NET Core with Azure AD Groups
• Using Azure AD with ASP.NET Core