Scope refers to the permissions associated with an application. These permissions are specified when registering your application on the Azure portal. For Microsoft Identity Platform (v2) provisioning, scope must be specified in order to retrieve the refresh token needed for implementing a refresh token grant.

The value of the scope may consist of an OAuth scope or a space-separated list of OAuth scopes. The following syntax applies.

resource_uri/scope_name offline_access […]

where:

resource_uri
is the URI for your SharePoint site and is found at the start of the ServiceURL. For example, https://mycorp.sharepoint.com is the resource URI for the ServiceURL https://mycorp.sharepoint.com/sites/marketing/global.
scope_name
is the name of a scope being enforced against the SharePoint site.
offline_access
is a scope that enables prolonged access to resources on behalf of a user. This scope must be included if you are retrieving a refresh token.

Example

The following example shows the scope for a SharePoint site with the .default and offline_access scopes.

Scope=https://mycorp.sharepoint.com/.default offline_access

Note: The .default scope is a Microsoft Identity Plaform scope that refers to the static list of permissions configured on the application registration. Refer to Microsoft Identity Plaform documentation for further details.