Microsoft Active Directory · OAuth Scopes

Microsoft Active Directory OAuth Scopes

OAuth 2.0 derived

Microsoft Active Directory publishes 11 OAuth 2.0 scopes via the authorizationCode and clientCredentials flows. Scopes are the fine-grained permissions an application requests at authorization time to act against the Microsoft Active Directory API on a user’s behalf.

Tokens are issued from https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token.

This index is generated from the provider’s OpenAPI security definitions (and, where available, its documented scope reference) and refreshes on every APIs.io network build. Browse every provider’s scopes at scopes.apis.io.

Active DirectoryAuthenticationAuthorizationDirectory ServicesIdentity ManagementMicrosoft EntraZero Trust
Scopes: 11 Flows: authorizationCode, clientCredentials Method: derived

OAuth endpoints

Authorization URL
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
Token URL
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Flows
authorizationCodeclientCredentials

Scopes (11)

ScopeDescriptionFlows
Application.Read.All Read all applications authorizationCode, clientCredentials
Application.ReadWrite.All Read and write all applications authorizationCode, clientCredentials
Directory.Read.All Read directory data authorizationCode, clientCredentials
Directory.ReadWrite.All Read and write directory data authorizationCode, clientCredentials
Group.Read.All Read all groups authorizationCode, clientCredentials
Group.ReadWrite.All Read and write all groups authorizationCode, clientCredentials
User.Read Read signed-in user's profile authorizationCode
User.Read.All Read all users' full profiles authorizationCode, clientCredentials
User.ReadBasic.All Read all users' basic profiles authorizationCode
User.ReadWrite Read and write signed-in user's profile authorizationCode
User.ReadWrite.All Read and write all users' full profiles authorizationCode, clientCredentials

Source

OAuth Scopes

active-directory-scopes.yml Raw ↑
generated: '2026-07-11'
method: derived
source: openapi/active-directory-applications-openapi.yaml, openapi/active-directory-groups-openapi.yaml,
  openapi/active-directory-users-openapi.yaml
schemes:
- name: oauth2
  source: openapi/active-directory-applications-openapi.yaml
  flows:
  - flow: authorizationCode
    authorizationUrl: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
    tokenUrl: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
  - flow: clientCredentials
    tokenUrl: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
- name: oauth2
  source: openapi/active-directory-groups-openapi.yaml
  flows:
  - flow: authorizationCode
    authorizationUrl: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
    tokenUrl: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
  - flow: clientCredentials
    tokenUrl: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
  description: OAuth2 with Microsoft identity platform (Azure AD)
- name: oauth2
  source: openapi/active-directory-users-openapi.yaml
  flows:
  - flow: authorizationCode
    authorizationUrl: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
    tokenUrl: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
  - flow: clientCredentials
    tokenUrl: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
  description: OAuth2 with Microsoft identity platform (Azure AD)
scopes:
- scope: Application.Read.All
  description: Read all applications
  flows:
  - authorizationCode
  - clientCredentials
  sources:
  - openapi/active-directory-applications-openapi.yaml
- scope: Application.ReadWrite.All
  description: Read and write all applications
  flows:
  - authorizationCode
  - clientCredentials
  sources:
  - openapi/active-directory-applications-openapi.yaml
- scope: Directory.Read.All
  description: Read directory data
  flows:
  - authorizationCode
  - clientCredentials
  sources:
  - openapi/active-directory-applications-openapi.yaml
  - openapi/active-directory-groups-openapi.yaml
  - openapi/active-directory-users-openapi.yaml
- scope: Directory.ReadWrite.All
  description: Read and write directory data
  flows:
  - authorizationCode
  - clientCredentials
  sources:
  - openapi/active-directory-groups-openapi.yaml
  - openapi/active-directory-users-openapi.yaml
- scope: Group.Read.All
  description: Read all groups
  flows:
  - authorizationCode
  - clientCredentials
  sources:
  - openapi/active-directory-groups-openapi.yaml
- scope: Group.ReadWrite.All
  description: Read and write all groups
  flows:
  - authorizationCode
  - clientCredentials
  sources:
  - openapi/active-directory-groups-openapi.yaml
- scope: User.Read
  description: Read signed-in user's profile
  flows:
  - authorizationCode
  sources:
  - openapi/active-directory-users-openapi.yaml
- scope: User.Read.All
  description: Read all users' full profiles
  flows:
  - authorizationCode
  - clientCredentials
  sources:
  - openapi/active-directory-users-openapi.yaml
- scope: User.ReadBasic.All
  description: Read all users' basic profiles
  flows:
  - authorizationCode
  sources:
  - openapi/active-directory-users-openapi.yaml
- scope: User.ReadWrite
  description: Read and write signed-in user's profile
  flows:
  - authorizationCode
  sources:
  - openapi/active-directory-users-openapi.yaml
- scope: User.ReadWrite.All
  description: Read and write all users' full profiles
  flows:
  - authorizationCode
  - clientCredentials
  sources:
  - openapi/active-directory-users-openapi.yaml