Refresh Token Scopes

I have an app that uses refresh tokens. When using the refresh token to get a new access token, I’m noticing that some users have an empty scope on the access token, and some have a scope that matches the scopes used during login.

All users are using the same app to log in. So all users leverage the same login configuration and parameters. What could be different on each user that would make the scopes be different on these new access tokens?

FYI - I found that this was due to a rule on our tenant that was stepping on these scopes.

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.