Specifying the OAuth2 authentication token scope

When using Client Credentials flow I usually have some PowerShell like this:

And I am always stumped with the “scope” part.

For other flows I can put a space separated list of scopes – like this:

But that doesn’t work with Client Credentials. You get an error:

Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI).

The solution is simple, just that I keep forgetting. If I am authenticating against a particular App Registration (e.g. an App Registration is authorized to access a Logic App or Azure Function; and I use other App Registrations that are authorized to authenticate against the first App Registration) then I must use that App Registration Id with the “/.default“.

But what if I am authenticating against Graph itself? Or some other resource? Then I must use a different URL like in this doc. For Graph it would be:

But it would be, say, the following for Azure Key Vault:

I could also request for specific scopes than just default to whatever is already admin consented to. For that I’ll have to change the scope line like this: https://graph.microsoft.com/User.Read

Good to remember!