Understanding Scopes in Azure OAuth2 Client Credentials Flow

In Azure OAuth2 Client Credentials Flow, scopes define the level of access that an application (not a user) is granted when calling an API.

How Scopes Work in Client Credentials Flow

• Unlike Delegated Permissions (which require user consent), the Client Credentials Flow uses Application Permissions.
• The requested scope determines which API and what level of access the application has.
• The scope format typically follows this structure:

  https://{resource}/.default

• "{resource}" = API you're accessing (e.g., "graph.microsoft.com" for Microsoft Graph API).
• ".default" = Automatically applies all granted application permissions for the app.

Scope Format Examples

Here are some common scope examples:

Granting Permissions for Scopes

• Before an application can use a scope, an Azure AD administrator must grant the corresponding permissions.
• Steps to grant API permissions:
  1. Go to Azure Portal > Azure AD > App Registrations > Your App.
  2. Go to "API permissions".
  3. Click "Add a permission" and select the desired API.
  4. Choose "Application permissions" (not "Delegated permissions").
  5. Click "Grant admin consent" (admin role required).

Using Scopes in OAuth2 Token Requests

When requesting an access token, you must specify the scope in the token request.

Example Token Request (Microsoft Graph API)

curl -X POST "https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/token" \
       -H "Content-Type: application/x-www-form-urlencoded" \
       -d "client_id=YOUR_CLIENT_ID" \
       -d "client_secret=YOUR_CLIENT_SECRET" \
       -d "scope=https://graph.microsoft.com/.default" \
       -d "grant_type=client_credentials"

Example Response

{
"token_type": "Bearer",
"expires_in": 3600,
"access_token": "eyJ0eXAiOiJKV1QiLCJhb..."
}

• The access token contains the granted permissions and can be used for API calls.