Add info on custom scopes for microsoft entra id creds (#3137)

imchairmanm · web-flow · commit 11a311a65b13 · 2025-05-15T11:43:35.000+01:00
diff --git a/docs/integrations/builtin/credentials/microsoftentra.md b/docs/integrations/builtin/credentials/microsoftentra.md
@@ -17,15 +17,15 @@ You can use these credentials to authenticate the following nodes:
 - Create a Microsoft Entra ID account or subscription.
 - If the user account is managed by a corporate Microsoft Entra account, the administrator account has enabled the option “User can consent to apps accessing company data on their behalf” for this user (see the [Microsoft Entra documentation](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent)).
 
-Microsoft includes an Entra ID free plan when you create a [Microsoft Azure](https://azure.microsoft.com/){:target=_blank .external-link} account.
+Microsoft includes an Entra ID free plan when you create a [Microsoft Azure](https://azure.microsoft.com/) account.
 
 ## Supported authentication methods
 
 - OAuth2
 
 ## Related resources
 
-Refer to [Microsoft Entra ID's documentation](https://www.microsoft.com/en-us/security/business/identity-access/azure-active-directory){:target=_blank .external-link} for more information about the service.
+Refer to [Microsoft Entra ID's documentation](https://www.microsoft.com/en-us/security/business/identity-access/azure-active-directory) for more information about the service.
 
 ## Using OAuth2
 
@@ -36,13 +36,13 @@ For self-hosted users, there are two main steps to configure OAuth2 from scratch
 1. [Register an application](#register-an-application) with the Microsoft Identity Platform.
 2. [Generate a client secret](#generate-a-client-secret) for that application.
 
-Follow the detailed instructions for each step below. For more detail on the Microsoft OAuth2 web flow, refer to [Microsoft authentication and authorization basics](https://learn.microsoft.com/en-us/graph/auth/auth-concepts){:target=_blank .external-link}. 
+Follow the detailed instructions for each step below. For more detail on the Microsoft OAuth2 web flow, refer to [Microsoft authentication and authorization basics](https://learn.microsoft.com/en-us/graph/auth/auth-concepts). 
 
 ### Register an application
 
 Register an application with the Microsoft Identity Platform:
 
-1. Open the [Microsoft Application Registration Portal](https://aka.ms/appregistrations){:target=_blank .external-link}.
+1. Open the [Microsoft Application Registration Portal](https://aka.ms/appregistrations).
 2. Select **Register an application**.
 3. Enter a **Name** for your app.
 4. In **Supported account types**, select **Accounts in any organizational directory (Any Azure AD directory - Multi-tenant) and personal Microsoft accounts (for example, Skype, Xbox)**.
@@ -53,7 +53,7 @@ Register an application with the Microsoft Identity Platform:
 6. Select **Register** to finish creating your application.
 7. Copy the **Application (client) ID** and paste it into n8n as the **Client ID**.
 
-Refer to [Register an application with the Microsoft Identity Platform](https://learn.microsoft.com/en-us/graph/auth-register-app-v2){:target=_blank .external-link} for more information.
+Refer to [Register an application with the Microsoft Identity Platform](https://learn.microsoft.com/en-us/graph/auth-register-app-v2) for more information.
 
 ### Generate a client secret
 
@@ -68,7 +68,26 @@ With your application created, generate a client secret for it:
 1. Select **Connect my account** in n8n to finish setting up the connection.
 1. Log in to your Microsoft account and allow the app to access your info.
 
-Refer to Microsoft's [Add credentials](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#add-credentials){:target=_blank .external-link} for more information on adding a client secret.
+Refer to Microsoft's [Add credentials](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#add-credentials) for more information on adding a client secret.
+
+## Setting custom scopes
+
+Microsoft Entra ID credentials use the following scopes by default:
+
+* [`openid`](https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc#the-openid-scope)
+* [`offline_access`](https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc#the-offline_access-scope)
+* [`AccessReview.ReadWrite.All`](https://learn.microsoft.com/en-us/graph/permissions-reference#accessreviewreadwriteall)
+* [`Directory.ReadWrite.All`](https://learn.microsoft.com/en-us/graph/permissions-reference#directoryreadwriteall)
+* [`NetworkAccessPolicy.ReadWrite.All`](https://learn.microsoft.com/en-us/graph/permissions-reference#networkaccesspolicyreadwriteall)
+* [`DelegatedAdminRelationship.ReadWrite.All`](https://learn.microsoft.com/en-us/graph/permissions-reference#delegatedadminrelationshipreadwriteall)
+* [`EntitlementManagement.ReadWrite.All`](https://learn.microsoft.com/en-us/graph/permissions-reference#entitlementmanagementreadwriteall)
+* [`User.ReadWrite.All`](https://learn.microsoft.com/en-us/graph/permissions-reference#userreadwriteall)
+* [`Directory.AccessAsUser.All`](https://learn.microsoft.com/en-us/graph/permissions-reference#directoryaccessasuserall)
+* [`Sites.FullControl.All`](https://learn.microsoft.com/en-us/graph/permissions-reference#sitesfullcontrolall)
+* [`GroupMember.ReadWrite.All`](https://learn.microsoft.com/en-us/graph/permissions-reference#groupmemberreadwriteall)
+
+To select different scopes for your credentials, enable the **Custom Scopes** slider and edit the **Enabled Scopes** list. Keep in mind that some features may not work as expected with more restrictive scopes.
+
 
 ## Common issues
 
