diff --git a/modules/routes/routeSecurityMsft.py b/modules/routes/routeSecurityMsft.py
index a971ecd0..ac9b5af3 100644
--- a/modules/routes/routeSecurityMsft.py
+++ b/modules/routes/routeSecurityMsft.py
@@ -53,12 +53,11 @@ if not REDIRECT_URI:
 if CLIENT_SECRET and CLIENT_SECRET.startswith(("PROD_ENC:", "INT_ENC:", "DEV_ENC:")):
     logger.warning("Service_MSFT_CLIENT_SECRET appears to be encrypted - ensure decryption is working")
 SCOPES = [
-    "Mail.ReadWrite",           # Read and write mail
-    "Mail.Send",                # Send mail
-    "Mail.ReadWrite.Shared",    # Access shared mailboxes
+    "Mail.ReadWrite",           # Read and write mail (user's mailbox only)
+    "Mail.Send",                # Send mail (user's mailbox only)
     "User.Read",                # Read user profile
-    "Sites.ReadWrite.All",      # Read and write all SharePoint sites
-    "Files.ReadWrite.All"       # Read and write all files
+    "Sites.ReadWrite",          # Read and write user's SharePoint sites (not org-wide)
+    "Files.ReadWrite"            # Read and write user's files (not org-wide)
 ]
 
 @router.get("/login")