update scopes (#1922)

Author: khorne3

docs/deployment/managed-scanning/azure.md

@@ -19,10 +19,13 @@ Add Azure DevOps repositories to your Semgrep organization in bulk without addin
 
 ## Prerequisites and permissions
 
-- Semgrep Managed Scanning requires repositories hosted by Azure DevOps Services. It currently doesn't support Azure DevOps Server.
+- Semgrep Managed Scanning requires repositories hosted by Azure DevOps Services. It doesn't support Azure DevOps Server.
 - Semgrep recommends setting up and configuring Semgrep Managed Scanning with an Azure DevOps service account, not a personal account. Regardless of whether you use a personal or service account, the account must be assigned the **Owner** or **Project Collection Administrator** role for the organization.
-- During setup and configuration, you must provide a personal access token generated by the account. This token must be granted the **Project and Team: Read & write** scope.
-  - Once you have Managed Scanning fully configured, you can update the token to **Project and Team: Read**, a more limited scope.
+- During setup and configuration, you must provide a personal access token generated by the account. This token must be authorized with **Full access**.
+  - Once you have Managed Scanning fully configured, you can update the token provided to Semgrep to one that's more restrictive. The scopes you must assign to the token include:
+    - `Project and Team: Read & write`
+    - `Code: Read`
+    - `Pull Request Threads: Read & write`
 
 ## Enable Managed Scans and scan your first repository