Hello Team,

When you create a API client & password you are not allowed to select the scope which is setup at runtime when requesting an access token. The issue with this approach is that in case an attacker gets the credentials it can easily change the scopes thus allowing him to move laterally - e.g get the results of all phishing/training campaigns and target specific users which can lead to other breaches. Besides that there's a real possibility of an insider threat doing something malicious - a disgruntled IT worker who has access to the credentials and decides to change the scope in order to gain unauthorized access to training data etc

Imagine if this mechanism worked at Microsoft and you have a client app that only has mail.read permissions and someone just by reading the documentation can elevate to global admin.

App scoping should be decided at client creation time not dynamically.