diff --git a/gooddata-server-oauth2-autoconfigure/src/main/kotlin/AuthenticationUtils.kt b/gooddata-server-oauth2-autoconfigure/src/main/kotlin/AuthenticationUtils.kt
index 877288c..d67f0e3 100644
--- a/gooddata-server-oauth2-autoconfigure/src/main/kotlin/AuthenticationUtils.kt
+++ b/gooddata-server-oauth2-autoconfigure/src/main/kotlin/AuthenticationUtils.kt
@@ -238,9 +238,9 @@ private fun ClientRegistration.Builder.withScopes(
 ): ClientRegistration.Builder {
     // in the future, we could check mandatory scopes against the supported ones
     val mandatoryScopes = listOf(OIDCScopeValue.OPENID, OIDCScopeValue.PROFILE).map(Scope.Value::getValue)
-    val userGroupsScope = if (jitEnabled == true) listOf(GD_USER_GROUPS_SCOPE) else listOf()
+    val userGroupsScope = if (jitEnabled == true) listOf(OIDCScopeValue.EMAIL.value, GD_USER_GROUPS_SCOPE) else listOf()
     val optionalScopes = supportedScopes
-        ?.filter { scope -> scope in listOf(OIDCScopeValue.EMAIL, OIDCScopeValue.OFFLINE_ACCESS) }
+        ?.filter { scope -> scope in listOf(OIDCScopeValue.OFFLINE_ACCESS) }
         ?.map(Scope.Value::getValue)
         ?: listOf()
     return scope(mandatoryScopes + optionalScopes + userGroupsScope)
diff --git a/gooddata-server-oauth2-autoconfigure/src/test/kotlin/AuthenticationUtilsTest.kt b/gooddata-server-oauth2-autoconfigure/src/test/kotlin/AuthenticationUtilsTest.kt
index 2ccad40..e4b9a72 100644
--- a/gooddata-server-oauth2-autoconfigure/src/test/kotlin/AuthenticationUtilsTest.kt
+++ b/gooddata-server-oauth2-autoconfigure/src/test/kotlin/AuthenticationUtilsTest.kt
@@ -300,7 +300,7 @@ internal class AuthenticationUtilsTest {
         @JvmStatic
         fun jitEnabledArguments() = Stream.of(
             Arguments.of(true, listOf("openid", "profile", "email", "offline_access", GD_USER_GROUPS_SCOPE)),
-            Arguments.of(false, listOf("openid", "profile", "email", "offline_access"))
+            Arguments.of(false, listOf("openid", "profile", "offline_access"))
         )
 
         @Language("json")