In Dynamics 365, scope refers to the impersonation permissions associated with an application. If you are using the Microsoft Identity Platform (v2) to provision users and manage application access, then you must provide a scope to retrieve the OAuth tokens necessary for connecting to a Dynamics 365 service.

The value of the Scope option may consist of an OAuth scope or a space-separated list of OAuth scopes. The following syntax applies to each scope specified by the Scope option.

resource_uri/permission_name offline_access

where:

resource_uri
is the URI for your Dynamics 365 instance and is found at the start of the ServiceURL. For example, https://mywebinstance.api.crm.dynamics.com is the resource URI for the Service URL https://mywebinstance.api.crm.dynamics.com/api/data/v9.1/.
permission_name
is the name of the permission being enforced against the Dynamics 365 service.
offline_access
is a permission that enables prolonged access to resources on behalf of a user. This permission must be included if you are retrieving a refresh token.

Example

The following example shows a scope for a Dynamics CRM instance with the user_impersonation and offline_access permissions.

Scope=https://mywebinstance.api.crm.dynamics.com/user_impersonation offline_access

Note: The user_impersonation permission is a default permission for Dynamics CRM when using the v2 API. Refer to Microsoft Identity Plaform documentation for further details.