No app roles returned by Azure AD

Having followed the instructions at it seems like the custom Enterprise application roles are not included in the token provided to Grafana, but always defaults to Viewer. The token looks like this:

  "typ": "JWT",
  "alg": "RS256",
  "kid": "..."
  "aud": "...",
  "iss": "",
  "iat": 1607519598,
  "nbf": 1607519598,
  "exp": 1607523498,
  "aio": "REDACTED",
  "groups": [
  "name": "REDACTED",
  "oid": "REDACTED",
  "preferred_username": "REDACTED",
  "rh": "REDACTED",
  "sub": "REDACTED",
  "tid": "REDACTED",
  "uti": "REDACTED",
  "ver": "2.0",
  "wids": [

Additionally I followed and the linked PR (#23465) with no difference.

Is there a scope missing in the Grafana config or something else to configure on the App registration?
How can I debug this???

Azure OIDC client generates token, so Azure forum/support is the best audience for your question.

Hello, are you are looking for enterprise application roles?

Yes, as per