When setting up my OAuth client app, i need to define scopes. I know of the built in scopes for things like open id connect such as openid profile email etc, and according to docs at https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#scopes-and-permissions
Identity platform supports several well-defined OpenID Connect scopes as well as resource-based permissions (each permission is indicated by appending the permission value to the resource's identifier or application ID URI). For example, the permission string https://graph.microsoft.com/Calendars.Read is used to request permission to read users calendars in Microsoft Graph.
but in practice i find that most docs (even that same doc later on) often use "short names" for graph scopes, like User.Read.All cf https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#admin-restricted-permissions:
Read all user's full profiles by using
User.Read.All
What's going on here, are the MS apis special and have special short name aliases for their permissions/scopes? Is this doc'd anywhere to know?
The Microsoft Identity platform will assume that you were referring to Microsoft Graph if you omit the resource in the scope value. Thus, User.Read is treated as https://graph.microsoft.com/User.Read.