Manage Action-Level Scopes
Control which OAuth scopes Odeus requests for each integration, manage when new actions are enabled in your workspace, and review the access status of every action.
Manage Action-Level Scopes
Control which OAuth scopes Odeus requests for each integration, manage when new actions are enabled in your workspace, and review the access status of every action.
Control which integration actions are enabled in your workspace and which OAuth scopes Odeus can request when users connect. Use this page when you want to review action access, prepare a custom OAuth client, or understand why an action shows Missing scope.
Scopes and Action Access currently applies to SharePoint integrations. Other Microsoft integrations will follow in the next few weeks. After that, support will roll out to other integrations.
How scopes control actions
Every integration action needs one or more OAuth scopes from the connected provider. For example, an Outlook Calendar action may need Calendars.ReadWrite before it can create or update calendar events.
Odeus groups actions by the scopes they need. When you enable or disable an action, you may also change which scopes Odeus requests from the OAuth provider. The active OAuth client defined in Odeus determines how these requested scopes are managed.
Use the table below to compare how different OAuth Clients can manage the available scopes of your integration.
| Mode | Scope behavior |
|---|---|
| Odeus Client | Odeus keeps requested scopes in sync with enabled or shared actions. |
| Scope sync on | Your custom OAuth client uses the same automatic scope sync behavior. |
| Scope sync off | Your custom OAuth client uses Fixed scopes that you manage manually. |
Control new actions
In your Integrations settings, you can find the New actions enabled by default setting, which controls what happens when Odeus adds an action to an existing integration.
<img src="https://mintcdn.com/odeus-34/z_BAgClWFf2GfboR/images/integration_scopes0.png?fit=max&auto=format&n=z_BAgClWFf2GfboR&q=85&s=ac56331dfbbabf04abf852fe937a7cfe" alt="The New actions enabled by default toggle in workspace integration settings" style={{borderRadius: '6px'}} width="2184" height="466" data-path="images/integration_scopes0.png" />
Odeus checks whether the active OAuth client already covers the action's required scopes.
* Actions whose required scopes are covered are enabled automatically.
* Actions with missing scopes stay disabled until you add or sync the required scopes.
New actions stay disabled until you review and enable them.
The same rule applies when Odeus adds a scope to an existing action. A new scope never silently expands what Odeus can request from your provider.
Choose an OAuth client mode
When using integrations, you can either choose to use the Odeus Client or to Bring Your Own OAuth Client. In your Integrations settings, select an integration built by Odeus and scroll to Scopes and Action Access to configure the OAuth client mode for that integration.
Use the Odeus Client when you want Odeus to manage OAuth scopes for you. This is the default on Multi-Tenant Cloud for integrations where Odeus provides a managed OAuth client.
Odeus requests the auth scopes needed to identify the user, such as `openid`, `email`, and `offline_access`. It also requests the scopes required by actions that are enabled for everyone or shared with specific users and groups.
You do not edit scopes manually. To change the requested scopes, enable, disable, or share actions.
<img src="https://mintcdn.com/odeus-34/z_BAgClWFf2GfboR/images/integration_scopes1.png?fit=max&auto=format&n=z_BAgClWFf2GfboR&q=85&s=4191ae246ea1b246a872fa994e4d9473" alt="Scopes and Action Access section with the Odeus Client active, showing scope groups with their status badges" style={{borderRadius: '6px'}} width="1536" height="1168" data-path="images/integration_scopes1.png" />
### Review scope status
Use **Scope view** to see which scopes are part of the active requested set. Scope groups with a green check are requested. Scope groups with a red X are not requested.
<img src="https://mintcdn.com/odeus-34/z_BAgClWFf2GfboR/images/integration_scopes2.png?fit=max&auto=format&n=z_BAgClWFf2GfboR&q=85&s=b0285ab96d41a9c3660776d6c6a3df5c" alt="Scope view active in the Scopes and Action Access section, with one scope group expanded to show its actions" style={{borderRadius: '6px'}} width="1534" height="562" data-path="images/integration_scopes2.png" />
Use **Action view** to manage actions one by one. This view is useful when you want to search for an action, sort by enabled state, or check the scopes a specific action needs.
<img src="https://mintcdn.com/odeus-34/z_BAgClWFf2GfboR/images/integration_scopes3.png?fit=max&auto=format&n=z_BAgClWFf2GfboR&q=85&s=4bc071d51b81c8b8738013c3e5cf708b" alt="Action view active in the Scopes and Action Access section, showing actions with their required scopes and enabled toggles" style={{borderRadius: '6px'}} width="1534" height="720" data-path="images/integration_scopes3.png" />
If an action needs a scope that is not currently requested, hover the **Missing scope** badge. With the Odeus Client, enabling the action adds that scope to the requested scopes after you confirm the change.
<img src="https://mintcdn.com/odeus-34/z_BAgClWFf2GfboR/images/integration_scopes4.png?fit=max&auto=format&n=z_BAgClWFf2GfboR&q=85&s=1b51c668c3786375c31430969f8d52a3" alt="Hover tooltip on a Missing scope badge in the Odeus Client view, showing the message Enable action to add it to the requested OAuth scopes" style={{borderRadius: '6px'}} width="1534" height="542" data-path="images/integration_scopes4.png" />
### Confirm scope updates
When your change adds or removes a scope, Odeus shows a confirmation dialog before updating the requested scopes. After you confirm, users need to refresh their connection before the newly granted scope is available.
<img src="https://mintcdn.com/odeus-34/z_BAgClWFf2GfboR/images/integration_scopes5.png?fit=max&auto=format&n=z_BAgClWFf2GfboR&q=85&s=a20378f6121205c62bf9b44cedc74b2d" alt="Confirmation dialog shown when enabling an action introduces a new OAuth scope" style={{borderRadius: '6px'}} width="1536" height="530" data-path="images/integration_scopes5.png" />
> Existing connections keep their granted scopes until users refresh the connection or their access token expires.
### Manage action access
Each action can be available to all users or shared with specific users and groups. See [Manage Action Access](/en/admin/manage-integrations/manage-action-access) for how to control who can use an integration and its actions.
### What changes in this mode
| Change | Result |
| --------------------------------------------------------- | -------------------------------------------------------------------------------------------------------- |
| Enable an action | The action is enabled. Missing scopes are added after you confirm. |
| Disable an action | The action is disabled. Scopes are removed if no other enabled or shared action needs them. |
| Odeus adds an action whose required scopes are covered | The action follows **New actions enabled by default**. |
| Odeus adds an action with missing scopes | The action stays disabled until you enable it and confirm the scope change. |
| Odeus adds a scope to an existing action | The action keeps its current state. The scope is requested only if an enabled or shared action needs it. |
Use a custom OAuth client when your workspace runs on a dedicated deployment, or when you want your own branding, tenant policies, and rate limits on the consent screen.
See [Bring Your Own OAuth Client](/en/admin/manage-integrations/bring-your-own-oauth) for the setup steps.
Open **Configure OAuth Client** to choose how Odeus handles scopes for that integration.
<img src="https://mintcdn.com/odeus-34/z_BAgClWFf2GfboR/images/integration_scopes_custom_client1.png?fit=max&auto=format&n=z_BAgClWFf2GfboR&q=85&s=f2be4859895edeae931348a4d5ddeffd" alt="OAuth Client Credentials dialog with the Sync scopes with enabled actions toggle" style={{borderRadius: '6px'}} width="1686" height="1282" data-path="images/integration_scopes_custom_client1.png" />
### Sync scopes with enabled actions
Turn **Sync scopes with enabled actions** on when you want your custom OAuth client to behave like the Odeus Client. Odeus requests auth scopes plus the scopes required by enabled or shared actions.
This is the recommended setup if you mainly need your own OAuth client because the Odeus Client cannot be used. In this case, Odeus still keeps the requested scopes minimal and up to date with your enabled actions.
When you turn **Sync scopes with enabled actions** off, you manage the requested scopes yourself. You can either use Odeus's recommended scopes as a fixed list, or define custom scopes for your own setup.
### Use Fixed scopes
Turn **Sync scopes with enabled actions** off when you want to manage the requested scopes yourself. The OAuth client switches to **Fixed scopes** mode, and the Scopes field becomes the source of truth.
Use the controls next to the scope pills to reset to the recommended defaults, copy the full list, or edit scopes manually.
<img src="https://mintcdn.com/odeus-34/z_BAgClWFf2GfboR/images/integration_scopes_custom_client2.png?fit=max&auto=format&n=z_BAgClWFf2GfboR&q=85&s=38f1f7740895eaf8ee212e8e9ca50f68" alt="Scopes section of the OAuth Client dialog with Sync scopes with enabled actions turned off, showing manual scope editing with reset, copy, and edit controls" style={{borderRadius: '6px'}} width="1684" height="542" data-path="images/integration_scopes_custom_client2.png" />
Fixed scopes are useful when your security team reviews OAuth scopes separately from action access, or when you want the requested scopes to stay stable across action changes.
### Manage actions with Fixed scopes
Odeus still checks every action against the scopes your custom OAuth client requests.
* **Scope configured** means the action's required scopes are included in your client. You can enable the action normally.
* **Missing scope** means at least one required scope is not included in your client.
Hover **Missing scope** to see which scopes need to be added. The tooltip includes **Add it to your OAuth client configuration**, which opens the OAuth client dialog with the missing scopes prefilled.
<img src="https://mintcdn.com/odeus-34/z_BAgClWFf2GfboR/images/integration_scopes_custom_client3.png?fit=max&auto=format&n=z_BAgClWFf2GfboR&q=85&s=c78068b24e57fc4ca8faabcf5a6efa3c" alt="Tooltip on a Missing scope badge showing the Add it to your OAuth client configuration link" style={{borderRadius: '6px'}} width="1688" height="420" data-path="images/integration_scopes_custom_client3.png" />
### Confirm actions with missing scopes
If you enable an action with missing scopes, Odeus asks you to confirm first. The action can appear enabled, but it will not run until the missing scopes are added to the OAuth client.
<img src="https://mintcdn.com/odeus-34/z_BAgClWFf2GfboR/images/integration_scopes5.png?fit=max&auto=format&n=z_BAgClWFf2GfboR&q=85&s=a20378f6121205c62bf9b44cedc74b2d" alt="Confirmation dialog shown when enabling an action introduces a new OAuth scope" style={{borderRadius: '6px'}} width="1536" height="530" data-path="images/integration_scopes5.png" />
### Work with custom scopes
Some workspaces request different scopes than Odeus's defaults. A common Microsoft example is using `Sites.Selected` instead of `Sites.ReadWrite.All` for SharePoint, so Odeus can only access selected sites.
Odeus compares actions against the scopes they declare. If an action declares `Sites.ReadWrite.All`, it may still show **Missing scope** even when `Sites.Selected` gives the action enough access in your tenant.
To use custom scopes:
Open **Configure OAuth Client**, turn **Sync scopes with enabled actions** off, and enter the exact scopes you want Odeus to request.
In **Manage Odeus-built integrations**, turn **New actions enabled by default** off.
Enable each action after you confirm that it works with your custom scopes.
When Odeus adds actions, review whether they can run with your custom scopes. Use the [Export scope configuration](#export-scope-configuration) CSV to share the review with your OAuth client admin.
### What changes in this mode
| Change | Result |
| ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Enable an action with configured scopes | The action is enabled. The requested scopes do not change. |
| Enable an action with missing scopes and scope sync on | Odeus adds the missing scopes to the requested scopes after you confirm. |
| Enable an action with missing scopes and Fixed scopes | The action can be enabled after confirmation, but it may not run unless your custom scopes provide the required access. Review this before enabling the action for users. |
| Add a scope to the OAuth client | Actions that need the scope can now be enabled and run. |
| Remove a scope from the OAuth client | Actions that need the scope show **Missing scope**. They remain enabled, but fail to run until you add it back or confirm that your custom scopes provide the required access. |
| Odeus adds an action with configured scopes and scope sync on | The action follows **New actions enabled by default**. |
| Odeus adds an action with configured scopes and Fixed scopes | The action stays disabled until you review and enable it. |
| Odeus adds an action with missing scopes | The action stays disabled until you add the scope and enable it, or until you enable it manually after confirming that your custom scopes provide the required access. |
> Pair **Fixed scopes** with **New actions enabled by default** turned off. New actions will not appear enabled before you review their scopes.
Native actions
Native actions power core Odeus features and are always enabled.
<img src="https://mintcdn.com/odeus-34/z_BAgClWFf2GfboR/images/integration_scopes6.png?fit=max&auto=format&n=z_BAgClWFf2GfboR&q=85&s=679a085781e4047e2436ab0aeaaaa853" alt="Native action row with the NATIVE badge and always-enabled note" style={{borderRadius: '6px'}} width="1536" height="448" data-path="images/integration_scopes6.png" />
Native actions support:
- File attachments from integrations in chat and Agents.
- Folder syncing.
- Company Knowledge.
- Access checks for synchronized attachments from integrations.
- Resolving IDs to resource names in action calls and Workflows.
When you use the Odeus Client or a custom OAuth client with Sync scopes with enabled actions turned on, native action scopes cannot be removed from the requested scopes. With a custom OAuth client that uses Fixed scopes, you can configure a setup where Odeus does not request the scopes required for native actions.
Not requesting scopes required for native actions can break platform functionality for the features listed above. It can also affect the user experience beyond direct integration usage in chat, Agents, or Workflows.
Export scope configuration
Click Export scope configuration to download a CSV of the current action and scope configuration.
<img src="https://mintcdn.com/odeus-34/z_BAgClWFf2GfboR/images/integration_scopes7.png?fit=max&auto=format&n=z_BAgClWFf2GfboR&q=85&s=0d1c56c2e3482c248a39fe0d5b5b0210" alt="Export scope configuration button at the top of the Scopes and Action Access section, with its tooltip explaining what the CSV contains" style={{borderRadius: '6px'}} width="1534" height="460" data-path="images/integration_scopes7.png" />
The export includes each action's name, description, required scopes, enabled state, and sharing configuration. Use it when you need to review integration access with your security team or the admin who manages your OAuth provider.
FAQ
The action is disabled when **New actions enabled by default** is off in the integration settings, or when the active OAuth client for this integration does not request all scopes required by the action.
You can manually enable the action based on your OAuth setup. This may add permissions to the requested scopes. If you use Fixed scopes, add the missing scopes to your OAuth client first.
To enable future actions automatically when all required scopes are already part of the OAuth client, turn **New actions enabled by default** on.
The toggle only appears for custom OAuth clients. The Odeus Client always syncs scopes with enabled and shared actions.
Existing connections keep the scopes granted at connection time. After you add a scope, users need to refresh their connection before the new scope is granted.
Confirm that the scope is listed in the Odeus OAuth client configuration and as an API permission in your Azure app registration. If admin consent is required, confirm that it has been granted.
Yes. Turn **New actions enabled by default** off. Existing actions keep their current state. Future actions are disabled until you review them.
Yes. Each workspace configures its own OAuth client per integration.
With the Odeus Client or a custom OAuth client with **Sync scopes with enabled actions** turned on, Odeus removes a scope only when no enabled or shared action needs it. Auth scopes such as `offline_access` and `openid` are always requested.
With Fixed scopes, Odeus never changes the requested scopes automatically.
Related pages
-
Bring Your Own OAuth Client — Set up a custom OAuth application for an integration.
-
Integrations settings — Review action access in your workspace.
-
Microsoft — Grant tenant-wide admin consent for Microsoft integrations.
-
Integrations Guide — Learn how integrations work in Odeus.