No app roles returned by Azure AD

Having followed the instructions at https://grafana.com/docs/grafana/latest/auth/azuread/#enable-azure-ad-oauth-in-grafana it seems like the custom Enterprise application roles are not included in the token provided to Grafana, but always defaults to Viewer. The token looks like this:

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "..."
}.{
  "aud": "...",
  "iss": "https://login.microsoftonline.com/.../v2.0",
  "iat": 1607519598,
  "nbf": 1607519598,
  "exp": 1607523498,
  "aio": "REDACTED",
  "groups": [
"REDACTED",
"REDACTED",
...
  ],
  "name": "REDACTED",
  "oid": "REDACTED",
  "preferred_username": "REDACTED",
  "rh": "REDACTED",
  "sub": "REDACTED",
  "tid": "REDACTED",
  "uti": "REDACTED",
  "ver": "2.0",
  "wids": [
"REDACTED",
"REDACTED"
  ]
}.[Signature]

Additionally I followed https://github.com/grafana/grafana/issues/23358#issuecomment-610919226 and the linked PR (#23465) with no difference.

Is there a scope missing in the Grafana config or something else to configure on the App registration?
How can I debug this???

Azure OIDC client generates token, so Azure forum/support is the best audience for your question.

Hello, are you are looking for enterprise application roles?

Yes, as per https://grafana.com/docs/grafana/latest/auth/azuread/#enable-azure-ad-oauth-in-grafana