I'm working on getting our existing service, which uses ADAL to get access tokens for SharePoint Online REST APIs, working using MSAL / v2.0 auth. We are using APIs that are NOT in the Graph API, so this is why we use the SPO APIs (i.e. https://yourtenant.sharepoint.com/_api/foo). In ADAL you use a Resource to get your token and it's always https://yourtenant.sharepoint.com, for any API for any site collection in your tenant. In switching to MSAL / v2.0 auth, I have yet to find a SCOPE that works - meaning I get an access token, but never with correct permissions. In my app registration in Azure, it shows the permission scope we use as https://microsoft.sharepoint-df.com/Sites.Read.All. So here are some examples that we've tried:
SCOPE: https://microsoft.sharepoint-df.com/.default (using the .default scope as recommended for v1.0 APIs) RESULT: "Invalid audience Uri 'https://microsoft.sharepoint-df.com/'.";category="invalid_client"
SCOPE: https://office365mon.sharepoint.com/.default (using the same style as Resource URI for v1.0) RESULT: X-MSDAVEXT_Error: 917656; Access+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the+web+site+and+select+the+option+to+login+automatically.
SCOPE: https://microsoft.sharepoint.com/.default (trying it without the -df on sharepoint) RESULT: "Invalid audience Uri 'https://microsoft.sharepoint.com/'.";category="invalid_client"
SCOPE: https://office365mon.sharepoint.com/Sites.Read.All (treating it like a v2.0 scope; also tried it with microsoft.sharepoint-df.com/Sites.Read.All) RESULT: The application 'foo' asked for scope 'Sites.Read.All' that doesn't exist on the resource '00000003-0000-0ff1-ce00-000000000000'. Contact the app vendor.
The other thing that I think is odd about this is that when I used the SCOPE that I think should be it - https://microsoft.sharepoint-df.com/.default - when I get an access token from an authorization code, it returns two SCOPES, one of which makes no sense at all. It returns "https://microsoft.sharepoint-df.com/Mail.ReadWrite https://microsoft.sharepoint-df.com/.default". There is no "Mail.ReadWrite" scope for SharePoint, we don't ask for that scope, so I can't help but wonder if that is part of the problem related to the "invalid audience" error it throws when using it.
So looking to see if there are any known issues with this right now, or any known working versions.
for SP API the valid scope would be "https://{your tenant name}.sharepoint.com/.default"