When setting up OIDC with Entra ID, if 'Requested scopes' (optional field) is not filled with '<client id>/.default', the users trying to authn will seeing Login successful in browser, but authn failed in shell. In the database access history, there will be three entries: one successful, then two failures because the token issuer is STS and not login.microsoft.com. 

To improve this, do not show 'login successful' on browser. If it's not a security issue, we could also show a more informative error message than 'authn failure' in shell.