Access Authorization Groups for ECS application sitting behind an ALB

Question

We have a .NET application running on AWS ECS sitting behind a ALB. We would like to authenticate and authorize access to the application via Microsoft AD Groups. After setting up Cognito with AD Groups as the IDP, is there a way to access the usergroup the user is part when logging in? Is it possible to send that information via ALB to the application as a cookie or header?

We are performing a POC to validate connectivity between Cognito and the .NET application right now. Authentication via Cognito userpool was successful but we could not find the authorization code to verify the groups it is part of. We are looking for ways to get access to the groups as well. If this step is complete, we will move on to configuring the IDP and checking the entire process again.

Are there any other approaches to this problem? Does using API Gateway instead of ALB make more sense?