Microsoft Office 365 · OAuth Scopes

Microsoft Office 365 OAuth Scopes

OAuth 2.0 derived

Microsoft Office 365 publishes 18 OAuth 2.0 scopes via the authorizationCode and clientCredentials flows. Scopes are the fine-grained permissions an application requests at authorization time to act against the Microsoft Office 365 API on a user’s behalf.

Tokens are issued from https://login.microsoftonline.com/common/oauth2/v2.0/token.

This index is generated from the provider’s OpenAPI security definitions (and, where available, its documented scope reference) and refreshes on every APIs.io network build. Browse every provider’s scopes at scopes.apis.io.

CloudCollaborationEnterpriseMicrosoftProductivity
Scopes: 18 Flows: authorizationCode, clientCredentials Method: derived

OAuth endpoints

Authorization URL
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Token URL
https://login.microsoftonline.com/common/oauth2/v2.0/token https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Flows
authorizationCodeclientCredentials

Scopes (18)

ScopeDescriptionFlows
Calendars.Read Read user calendars authorizationCode
Calendars.ReadWrite Read and write user calendars authorizationCode
Directory.Read.All Read directory data authorizationCode
Directory.ReadWrite.All Read and write directory data authorizationCode
Group.Read.All Read all groups authorizationCode
Group.ReadWrite.All Read and write all groups authorizationCode
GroupMember.Read.All Read all group memberships authorizationCode
GroupMember.ReadWrite.All Read and write all group memberships authorizationCode
Mail.Read Read user mail authorizationCode
Mail.ReadBasic Read user basic mail authorizationCode
Mail.ReadWrite Read and write user mail authorizationCode
Mail.Send Send mail as a user authorizationCode
User.Read Sign in and read user profile authorizationCode
User.Read.All Read all users' full profiles authorizationCode
User.ReadBasic.All Read all users' basic profiles authorizationCode
User.ReadWrite Read and update your profile authorizationCode
User.ReadWrite.All Read and write all users' full profiles authorizationCode
https://graph.microsoft.com/.default Default scope for application permissions clientCredentials

Source

OAuth Scopes

microsoft-office-365-scopes.yml Raw ↑
generated: '2026-07-11'
method: derived
source: openapi/microsoft-graph-api-openapi.yml
schemes:
- name: oauth2
  source: openapi/microsoft-graph-api-openapi.yml
  flows:
  - flow: authorizationCode
    authorizationUrl: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
    tokenUrl: https://login.microsoftonline.com/common/oauth2/v2.0/token
  - flow: clientCredentials
    tokenUrl: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
  description: Microsoft identity platform OAuth 2.0 authorization. Supports delegated (user)
    and application-only permissions. Microsoft Graph uses scopes to control access to resources.
scopes:
- scope: Calendars.Read
  description: Read user calendars
  flows:
  - authorizationCode
  sources:
  - openapi/microsoft-graph-api-openapi.yml
- scope: Calendars.ReadWrite
  description: Read and write user calendars
  flows:
  - authorizationCode
  sources:
  - openapi/microsoft-graph-api-openapi.yml
- scope: Directory.Read.All
  description: Read directory data
  flows:
  - authorizationCode
  sources:
  - openapi/microsoft-graph-api-openapi.yml
- scope: Directory.ReadWrite.All
  description: Read and write directory data
  flows:
  - authorizationCode
  sources:
  - openapi/microsoft-graph-api-openapi.yml
- scope: Group.Read.All
  description: Read all groups
  flows:
  - authorizationCode
  sources:
  - openapi/microsoft-graph-api-openapi.yml
- scope: Group.ReadWrite.All
  description: Read and write all groups
  flows:
  - authorizationCode
  sources:
  - openapi/microsoft-graph-api-openapi.yml
- scope: GroupMember.Read.All
  description: Read all group memberships
  flows:
  - authorizationCode
  sources:
  - openapi/microsoft-graph-api-openapi.yml
- scope: GroupMember.ReadWrite.All
  description: Read and write all group memberships
  flows:
  - authorizationCode
  sources:
  - openapi/microsoft-graph-api-openapi.yml
- scope: Mail.Read
  description: Read user mail
  flows:
  - authorizationCode
  sources:
  - openapi/microsoft-graph-api-openapi.yml
- scope: Mail.ReadBasic
  description: Read user basic mail
  flows:
  - authorizationCode
  sources:
  - openapi/microsoft-graph-api-openapi.yml
- scope: Mail.ReadWrite
  description: Read and write user mail
  flows:
  - authorizationCode
  sources:
  - openapi/microsoft-graph-api-openapi.yml
- scope: Mail.Send
  description: Send mail as a user
  flows:
  - authorizationCode
  sources:
  - openapi/microsoft-graph-api-openapi.yml
- scope: User.Read
  description: Sign in and read user profile
  flows:
  - authorizationCode
  sources:
  - openapi/microsoft-graph-api-openapi.yml
- scope: User.Read.All
  description: Read all users' full profiles
  flows:
  - authorizationCode
  sources:
  - openapi/microsoft-graph-api-openapi.yml
- scope: User.ReadBasic.All
  description: Read all users' basic profiles
  flows:
  - authorizationCode
  sources:
  - openapi/microsoft-graph-api-openapi.yml
- scope: User.ReadWrite
  description: Read and update your profile
  flows:
  - authorizationCode
  sources:
  - openapi/microsoft-graph-api-openapi.yml
- scope: User.ReadWrite.All
  description: Read and write all users' full profiles
  flows:
  - authorizationCode
  sources:
  - openapi/microsoft-graph-api-openapi.yml
- scope: https://graph.microsoft.com/.default
  description: Default scope for application permissions
  flows:
  - clientCredentials
  sources:
  - openapi/microsoft-graph-api-openapi.yml