When we configured Cumulocity to integrate SSO with azure, we needed to use the custom template to have OAUTH2 work. Specifically, we needed to add the scope field and set the scope to ${clientId}/.default