Authentication problem with Entra App OIDC on 8.13.4

Hi, we have configured Entra App for OIDC with the correct redirect uri, and correct group claim. I want the OIDC configuration to check the claim if I am a part of a specific AD group. Client secret is also stored in keystore. I have created a role mapping specifying the realm and the ID of the ad group.

The OIDC configuration

 oidc.oidc1:
          order: 2
          rp.client_id: "client_id"
          rp.response_type: "code"
          #rp.requested_scopes: ["openid", "email", "profile"]
          rp.redirect_uri: "<KIBANA_URL>/api/security/oidc/callback"
          op.issuer: "https://login.microsoftonline.com/<TENANT_ID>/v2.0"
          op.authorization_endpoint: "https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/authorize"
          op.token_endpoint: "https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token"
          op.endsession_endpoint: "https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/logout"
          op.jwkset_path: "https://login.microsoftonline.com/<TENANT_ID>/discovery/v2.0/keys"
          op.userinfo_endpoint: "https://graph.microsoft.com/oidc/userinfo"
          rp.post_logout_redirect_uri: "<KIBANA_URL>/logged_out"
          claims.principal: email
          claims.groups: groups

The Kibana config

 xpack.security.authc.providers:
      oidc.oidc1:
        order: 0
        realm: oidc1
        description: "Sign in with Entra ID (SSO)" 
      basic.basic1:
        order: 1

Role mapping

role_mapping:
        enabled: true
        roles:
        - log_reader
        rules:
          all:
            - field: { realm.name: "oidc1" }
            - field: { groups: "AD GROUP OBJECT ID" }

Microsoft graph permission on the Entra app

email - delegated permission
Group.Read.All - application permission
GroupMember.Read.All - delegated permission
openid - delegated permission
profile - delegated permission
User.Read - delegated permission
User.ReadBasic.All - delegated permission

When I log in, I get redirected to login.microsoftonline.com to fill in user credentials. After that I get redirected to kibana again, but with a msg=UNAUTHENTICATED and a display text "Try logging in again, and if the problem persists, contact your system administrator".

I have enabled trace, but cant see that the OIDC configuration is being triggered at all.

PUT _cluster/settings
{
  "transient": {
    "logger.org.elasticsearch.xpack.security.authc": "trace"
  }
}

Any idea what I'm doing wrong?

UPDATE:
I get these errors when I comment out scope and set claims.principal:sub

Failed to consume the OpenIdConnectToken
Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by org.elasticsearch.ElasticsearchSecurityException: Failed to exchange code for Id Token using the Token Endpoint