How to get JWT from Azure Entra with api scope when doing implicit flow?

Question

There is an App Registration in Azure where the client id is 00001111-aaaa-2222-bbbb-3333cccc4444 and a scope is api://3f4c1d35-3161-4c45-b5ec-ff7be4e89473/access_as_user and a redirect URI is https://jwt.ms. What would be the browser openable URL that redirects to https://jwt.ms and shows JWT with scope on it?

If one uses az cli, the commands would be something like

az login --scope api://3f4c1d35-3161-4c45-b5ec-ff7be4e89473/access_as_user
az account get-access-token --resource "api://3f4c1d35-3161-4c45-b5ec-ff7be4e89473" --scope "api://3f4c1d35-3161-4c45-b5ec-ff7be4e89473/access_as_user" --query accessToken

if one uses following URL

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=00001111-aaaa-2222-bbbb-3333cccc4444
&response_type=id_token
&redirect_uri=https%3A%2F%2Fjwt.ms
&scope=openid%20api%3A%2F%2F3f4c1d35-3161-4c45-b5ec-ff7be4e89473%2Faccess_as_user
&response_mode=fragment
&state=12345
&nonce=678910

the scope is not included in JWT.

Answer 1

Initially, I registered Single-Tenant Microsoft Entra ID Application and added redirect_uri: https://jwt.ms:

Configured authentication tab of application like below:

Added Application ID URI and Exposed an API access_as_user like below:

Now Added access_as_user permission and Granted Admin Consent:

Now, ran below request in the browser:

https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?
client_id=<application-id>
&response_type=token
&redirect_uri=https://jwt.ms
&scope=api://<application-id>/access_as_user
&response_mode=fragment
&state=12345
&nonce=678910

Now, Successfully got scp in that JWT: