From 1ea36ad5bccbafb8c4f0762d5e1b79e28112c101 Mon Sep 17 00:00:00 2001
From: ValueOn AG <p.motsch@valueon.ch>
Date: Tue, 13 Jan 2026 21:31:18 +0100
Subject: [PATCH] fixes

---
 modules/routes/routeSecurityMsft.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/modules/routes/routeSecurityMsft.py b/modules/routes/routeSecurityMsft.py
index a971ecd0..ac9b5af3 100644
--- a/modules/routes/routeSecurityMsft.py
+++ b/modules/routes/routeSecurityMsft.py
@@ -53,12 +53,11 @@ if not REDIRECT_URI:
 if CLIENT_SECRET and CLIENT_SECRET.startswith(("PROD_ENC:", "INT_ENC:", "DEV_ENC:")):
     logger.warning("Service_MSFT_CLIENT_SECRET appears to be encrypted - ensure decryption is working")
 SCOPES = [
-    "Mail.ReadWrite",           # Read and write mail
-    "Mail.Send",                # Send mail
-    "Mail.ReadWrite.Shared",    # Access shared mailboxes
+    "Mail.ReadWrite",           # Read and write mail (user's mailbox only)
+    "Mail.Send",                # Send mail (user's mailbox only)
     "User.Read",                # Read user profile
-    "Sites.ReadWrite.All",      # Read and write all SharePoint sites
-    "Files.ReadWrite.All"       # Read and write all files
+    "Sites.ReadWrite",          # Read and write user's SharePoint sites (not org-wide)
+    "Files.ReadWrite"            # Read and write user's files (not org-wide)
 ]
 
 @router.get("/login")