Request groups from AD

I have set up Azure AD as an Identity provider and now I want to map AD groups to Keycloak groups. That is: If the user is a member of the AD group X, then he/she should be a member of the Keycloak group Y. But when I configure the Identity Provider in Keycloak and set the Scopes field to “openid groups” login stops working. The user browser is showing the message “Unexpected error when authenticating with identity provider”

The Keycloak server logs contains the following entry
{“timestamp”:“2022-12-09T08:28:59.446Z”,“sequence”:8642,“loggerClassName”:“org.jboss.logging.Logger”,“loggerName”:“”,“level”:“ERROR”,“message”:“invalid_client for broker login oidc”,“threadName”:“executor-thread-27”,“threadId”:184,“mdc”:{},“ndc”:“”,“hostName”:“ip-xxx-eu-west-1.compute.internal”,“processName”:“QuarkusEntryPoint”,“processId”:1}

Please advice