Keycloak: How do I automatically import AD groups when using Identity Brokering

Question

I am making some changes on SAML IDP (ADFS) configuration in Keycloak. For this configuration users are registered into Keycloak using First login flow. Currently First Flow login imports only basic user information and nothing relating to the user's associated AD groups.

Currently I am using the default groups feature which automatically assigns group membership whenever any new user is created or imported throughout identity brokering.

How do I ensure that the AD groups are also imported when a user is imported via First Flow Login?

My use-case is to eventually have AD group name information at the client end (Grafana). Currently when a user logs in to Grafana with Keycloak only the username and email are available.

This is how the Grafana client's Client Scopes looks in Keycloak(It has no configured mappers):

Under Client Scopes I can see a scope with name group was created and it has the following settings :

1. "Include In Token Scope" - Enabled
2. "Display On Consent Screen" - Enabled
3. "Type" - Optional
4. "Protocol" - OpenID Connect

Under user's "Attributes" tab I also don't see anything, suggesting the AD groups are not being added for all First Flow logins.

I am also unsure if I will need to map the AD groups to Keycloak roles. If, yes, why is it necessary ?