Scope refers to the permissions associated with an application. These permissions are specified when registering your application on the Azure portal. For Microsoft Identity Platform (v2) provisioning, scope must be specified in order to retrieve the refresh token needed for implementing a refresh token grant.

The value of the scope may consist of an OAuth scope or a space-separated list of OAuth scopes. The following syntax applies.

resource_uri/scope_name offline_access

where:

resource_uri
is the URI for your Dynamics 365 instance and is found at the start of the ServiceURL. For example, https://mywebinstance.api.crm.dynamics.com is the resource URI for the Service URL https://mywebinstance.api.crm.dynamics.com/api/data/v9.1/.
scope_name
is the name of a scope being enforced against the Dynamics 365 service.
offline_access
is a scope that enables prolonged access to resources on behalf of a user. This scope must be included if you are retrieving a refresh token.

Example

The following example shows a scope for a Dynamics CRM instance with the user_impersonation and offline_access scopes.

Scope=https://mywebinstance.api.crm.dynamics.com/user_impersonation offline_access

Note: The user_impersonation scope is a default scope for Dynamics CRM when using the v2 API. Refer to Microsoft Identity Plaform documentation for further details.