We are trying to give customize access to non-admin user by specifying the scope to either "AllSites.Read" or similar using Rest API request for our MS Sharepoint application. The issue we are facing is, it is not honoring the scope from the URL e.g. https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=xxxx&redirect...
here the scope passed is not considered and the API returns 200 status code with scope set to Read (default app level permission).
But when the change the scope to any random string, it still shows the same app level permissions.
The permission can only be modified/granted from the administration module at App level.