diff --git a/src/Plugin/OpenIDConnectClient/WindowsAad.php b/src/Plugin/OpenIDConnectClient/WindowsAad.php
index bbb49c5..24f11e5 100644
--- a/src/Plugin/OpenIDConnectClient/WindowsAad.php
+++ b/src/Plugin/OpenIDConnectClient/WindowsAad.php
@@ -264,6 +264,9 @@ as the mapping between Azure AD accounts and Drupal users.<br/>
     if ($this->configuration['subject_key'] === 'oid') {
       $scopes[] = 'profile';
     }
+    if ($this->configuration['userinfo_graph_api_wa'] === 2) {
+      $scopes[] = 'User.Read';
+    }
     return array_unique($scopes);
   }
 
@@ -447,7 +450,7 @@ as the mapping between Azure AD accounts and Drupal users.<br/>
           $profile_data['email'] = $profile_data[$upn];
         }
       }
-      else {
+      elseif (!isset($profile_data['email']) && isset($profile_data['mail'])) {
         // OpenID Connect module expects the 'email' token for userinfo.
         $profile_data['email'] = $profile_data['mail'];
       }