Assuming your code is good (it's hard to tell with just the snippet), your main issue is that you're using Role
instead of Group
. Roles and groups are different concepts in the Graph. A Role returned by the Graph is not intended for role-based access control (RBAC), whereas a Group can (and should) be used for that purpose. See my other answer here for more information.
Also, without knowing the needs of your application, you should only be using ACS if you need to authenticate with multiple identity providers. It looks like you're just using Azure AD as your IdP, so you can authenticate directly to the service instead of using ACS as a middleman.
This topic about authorization and RBAC in Azure AD and the accompanying code sample should help you understand more about how roles and groups are used in the Azure AD and the Graph.