Scope refers to the permissions associated with an application. Scope is determined by your Dynamics 365 administrator. If the Microsoft Identity Platform (v2) is being used to provision users and manage application access, then scope must be specified using the Scope property when retrieving the OAuth tokens necessary for connecting to a Dynamics 365 service.

The value of the Scope property may consist of an OAuth scope or a space-separated list of OAuth scopes. The following syntax applies to each scope specified by the scope property.

resource_uri/scope_name offline_access

where:

resource_uri
is the URI for your Dynamics 365 instance and is found at the start of the ServiceURL. For example, https://mywebinstance.api.crm.dynamics.com is the resource URI for the Service URL https://mywebinstance.api.crm.dynamics.com/api/data/v9.1/.
scope_name
is the name of a scope being enforced against the Dynamics 365 service.
offline_access
is a scope that enables prolonged access to resources on behalf of a user. This scope must be included if you are retrieving a refresh token.

Example

The following example shows a scope for a Dynamics CRM instance with the user_impersonation and offline_access scopes.

Scope=https://mywebinstance.api.crm.dynamics.com/user_impersonation offline_access

Note: The user_impersonation scope is a default scope for Dynamics CRM when using the v2 API. Refer to Microsoft Identity Plaform documentation for further details.