From 4a0310a51ff6616d1f4612d313a18a148c729694 Mon Sep 17 00:00:00 2001
From: James Robinson <james.em.robinson@gmail.com>
Date: Fri, 26 Jul 2024 14:58:49 +0100
Subject: [PATCH] :recycle: Minimise requested delegated scope

---
 apricot/oauth/microsoft_entra_client.py | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/apricot/oauth/microsoft_entra_client.py b/apricot/oauth/microsoft_entra_client.py
index 46fe9b2..0970347 100644
--- a/apricot/oauth/microsoft_entra_client.py
+++ b/apricot/oauth/microsoft_entra_client.py
@@ -23,15 +23,14 @@ def __init__(
         @param entra_tenant_id: Tenant ID for the Entra ID
         """
         redirect_uri = "urn:ietf:wg:oauth:2.0:oob"  # this is the "no redirect" URL
-        scopes = ["https://graph.microsoft.com/.default"]  # this is the default scope
         token_url = (
             f"https://login.microsoftonline.com/{entra_tenant_id}/oauth2/v2.0/token"
         )
-        self.tenant_id = entra_tenant_id
+        # Use default application scope and minimal delegated scopes
         super().__init__(
             redirect_uri=redirect_uri,
-            scopes_application=scopes,
-            scopes_delegated=scopes,
+            scopes_application=["https://graph.microsoft.com/.default"],
+            scopes_delegated=["openid"],
             token_url=token_url,
             **kwargs,
         )