For MS SharePoint the authorizing scope sent in URL is not getting honored

We are trying to give customize access to non-admin user by specifying the scope to either "AllSites.Read" or similar using Rest API request for our MS Sharepoint application. The issue we are facing is, it is not honoring the scope from the URL e.g. https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=xxxx&redirect_uri=https://www.google.co.in&scope=Write&state=1234567890&prompt=consent

here the scope passed is not considered and the API returns 200 status code with scope set to Read (default app level permission).  

But when the change the scope to any random string, it still shows the same app level permissions. 

e.g. https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=xxxx&redirect_uri=https://www.google.co.in&scope=any_random_string&state=1234567890&prompt=consent

The permission can only be modified/granted from the administration module at App level.