Invalid scope error on OIDC token request

Hi @Ihor Vinokur ,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

Please find the cause and possible solution below. Please let me know if it works and if any issues, let me know in comments.

The Cause

When you use the Microsoft identity platform v2.0 endpoint (https://login.microsoftonline.com/common/oauth2/v2.0/authorize), it requires scopes to be fully qualified with the App ID URI (Resource ID) of the API you are trying to access.

While vso.code_full is a valid Azure DevOps OAuth scope, passing it bare (e.g., scope=vso.code_full) works for the older Azure DevOps-specific OAuth flow, but it will result in an invalid_scope error in the Entra ID v2.0 flow because Entra ID doesn't know which resource the scope belongs to.

The Solution

To fix this, you must prefix the scope with the official Azure DevOps App ID URI, which is 499b84ac-1321-427f-aa17-267ca6975798.

Change your scope parameter in the authorization request to: scope=499b84ac-1321-427f-aa17-267ca6975798/vso.code_full

(Note: Depending on your exact Entra ID API permission configuration, you might also be able to use scope=499b84ac-1321-427f-aa17-267ca6975798/.default to grant all scopes configured statically on the app registration). Updated Authorization Request Example:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=<application id>&redirect_uri=<redirect uri>&response_type=code&scope=499b84ac-1321-427f-aa17-267ca6975798/vso.code_full&state=<state>

References

• Microsoft Identity Platform Scopes: The v2.0 endpoint requires scopes formatted as resourceAppIdUri/scope. You can read more in the Microsoft identity platform and OAuth 2.0 authorization code flow docs.
• Azure DevOps Scopes: OAuth 2.0 authentication for Azure DevOps REST APIs.

invalid_scope occurs because the Microsoft identity platform v2.0 endpoint expects scopes in the form of delegated permissions for a specific resource, not the bare Azure DevOps OAuth scope name.

vso.code_full is a valid Azure DevOps OAuth scope, but it must be requested against the Azure DevOps resource when using Microsoft Entra ID OAuth. The v2.0 endpoint requires scopes to be prefixed with the resource identifier (App ID URI) for non-Microsoft Graph APIs.

To fix the error:

1. Use the correct resource-prefixed scope in the scope parameter instead of just vso.code_full. For Azure DevOps, scopes follow the pattern:

      scope={App-Uri-Id}/{scope-name}
   

   For example (pattern from the docs):

      scope=openid+https://vault.azure.net/user_impersonation
   

   Apply the same idea to Azure DevOps: the scope must include the Azure DevOps App ID URI followed by /vso.code_full, not just vso.code_full alone.
2. Ensure that the scope value you send in the authorize request exactly matches a scope that is:
   • Defined for the Azure DevOps resource, and
   • Granted as a delegated permission to the client app.
3. If the scope is wrong or misspelled, Microsoft Entra ID returns invalid_scope during code redemption or authorization. Update the scope parameter to a valid value for the Azure DevOps resource as documented for that API.

If invalid_scope is returned during token redemption instead of /authorize, the guidance is the same: update the scope to a valid one and, if necessary, send the user back through /authorize so consent can be granted.

References:

• Microsoft identity platform and OAuth 2.0 authorization code flow
• Error AADSTS650056: Misconfigured application
• OAuth 2.0 authentication for Azure DevOps REST APIs
• Calling an API