For Entra ID email is not a valid scope. Also removed the ( and ) as this is not valid for .env

Enabling-SSO-support-using-OpenId-Connect.md

@@ -199,10 +199,10 @@ Only the v2 endpoint is compliant with the OpenID spec, see <https://github.com/
 
 Your configuration should look like this:
 
-* `SSO_AUTHORITY=https://login.microsoftonline.com/${Directory (tenant) ID}/v2.0`
-* `SSO_SCOPES="email profile offline_access"`
-* `SSO_CLIENT_ID=${Application (client) ID}`
-* `SSO_CLIENT_SECRET=${Secret Value}`
+* `SSO_AUTHORITY=https://login.microsoftonline.com/${Directory_ID}/v2.0` #tenant
+* `SSO_SCOPES=openid profile offline_access User.Read`
+* `SSO_CLIENT_ID=${Application_ID}` #client
+* `SSO_CLIENT_SECRET=${Secret_Value}`
 
 ## Rauthy