Azure Active Directory · OAuth Scopes

Azure Active Directory OAuth Scopes

OAuth 2.0 derived

Azure Active Directory publishes 8 OAuth 2.0 scopes via the authorizationCode and clientCredentials flows. Scopes are the fine-grained permissions an application requests at authorization time to act against the Azure Active Directory API on a user’s behalf.

Tokens are issued from https://login.microsoftonline.com/common/oauth2/v2.0/token.

This index is generated from the provider’s OpenAPI security definitions (and, where available, its documented scope reference) and refreshes on every APIs.io network build. Browse every provider’s scopes at scopes.apis.io.

AuthenticationAuthorizationIdentityOAuthOpenID ConnectSingle Sign-On
Scopes: 8 Flows: authorizationCode, clientCredentials Method: derived

OAuth endpoints

Authorization URL
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Token URL
https://login.microsoftonline.com/common/oauth2/v2.0/token
Flows
authorizationCodeclientCredentials

Scopes (8)

ScopeDescriptionFlows
Application.Read.All Read applications authorizationCode
Directory.Read.All Read directory data authorizationCode
Group.Read.All Read all groups authorizationCode
Group.ReadWrite.All Read and write all groups authorizationCode
User.Read Read the signed-in user's profile authorizationCode
User.Read.All Read all users authorizationCode
User.ReadWrite.All Read and write all users authorizationCode
https://graph.microsoft.com/.default Application permissions configured for the app clientCredentials

Source

OAuth Scopes

azure-ad-scopes.yml Raw ↑
generated: '2026-07-11'
method: derived
source: openapi/azure-ad-openapi.yml
schemes:
- name: oauth2
  source: openapi/azure-ad-openapi.yml
  flows:
  - flow: authorizationCode
    authorizationUrl: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
    tokenUrl: https://login.microsoftonline.com/common/oauth2/v2.0/token
  - flow: clientCredentials
    tokenUrl: https://login.microsoftonline.com/common/oauth2/v2.0/token
  description: Microsoft Entra ID OAuth 2.0
scopes:
- scope: Application.Read.All
  description: Read applications
  flows:
  - authorizationCode
  sources:
  - openapi/azure-ad-openapi.yml
- scope: Directory.Read.All
  description: Read directory data
  flows:
  - authorizationCode
  sources:
  - openapi/azure-ad-openapi.yml
- scope: Group.Read.All
  description: Read all groups
  flows:
  - authorizationCode
  sources:
  - openapi/azure-ad-openapi.yml
- scope: Group.ReadWrite.All
  description: Read and write all groups
  flows:
  - authorizationCode
  sources:
  - openapi/azure-ad-openapi.yml
- scope: User.Read
  description: Read the signed-in user's profile
  flows:
  - authorizationCode
  sources:
  - openapi/azure-ad-openapi.yml
- scope: User.Read.All
  description: Read all users
  flows:
  - authorizationCode
  sources:
  - openapi/azure-ad-openapi.yml
- scope: User.ReadWrite.All
  description: Read and write all users
  flows:
  - authorizationCode
  sources:
  - openapi/azure-ad-openapi.yml
- scope: https://graph.microsoft.com/.default
  description: Application permissions configured for the app
  flows:
  - clientCredentials
  sources:
  - openapi/azure-ad-openapi.yml