Password grant requires client_id and client_secret. Try below parameters.

curl --location \
  --request POST \
  'https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'client_id={clientId}' \
  --data-urlencode 'client_secret={clientSecret}' \
  --data-urlencode 'username={username}' \
  --data-urlencode 'password={password}' \
  --data-urlencode 'scope=User.Read profile openid email' \
  --data-urlencode 'grant_type=password'

You may want to use any default scope like email incase it still doesn't work.