My organization uses managed identity to authenticate our deployed applications with Azure services. This has worked great to simplify deployment configuration as well as local development. We have updated all of our applications/services to use the new Auzre.Identity package with the DefaultAzureCredential, which employs several strategies for getting a token, namely via ManagedIdentityCredential for deployed environments and falling back on VisualStudioCredential for development environments.
New requirements involve querying our AD tenant to get some user and group information. We intend to use Graph API to do this. This is not a problem for our deployed applications, as I can assign Graph API scopes/permissions to the service principal that gets created when managed identity is enabled for our various resources like app services and VMs.
However, this is not the case with local development. When developers acquire a token for Graph API with DefaultAzureCredential (which delegates to VisualStudioCredential), the token has these scopes: "Application.ReadWrite.All email openid profile User.ReadWrite.All". I also notice the app id is 872cd9fa-d31f-45e0-9eab-6e460a02d1f1 which a little googling identified as a standard app id for Visual Studio. I can't find this registered application in my directory through the portal or az powershell.
I ultimately need the additional scope of GroupMember.Read.All, and most likely others in the future. I'm familiar with how to configure this scope for service principals and registered applications, but I see no way to do this for developers (directory users) or this "special" Visual Studio registered application. Is there an intended approach to assigning additional Graph API scopes/permissions or am I required to create a service principal and manage secrets for development with Graph API?