This change makes it so that the group membership check is skipped if group_id is empty.
The reasoning is that if our azure app is not authorised to read group membership with /checkMemberGroups, then this is a way to make pam_aad not worry about it, rather than error. (And group based access can be enforced with other PAM modules, if required.)
Source: https://github.com/CyberNinjas/pam_aad/pull/61