As I understand that for getting selective authorization for a protected resource using Azure AD based OAuth 2.0 mechanism, client application need to mandatorily provide the scope URL for getting access token. Other parameters usually include client ID, client secret (in case of Service Principal auth flow), Azure AD username and password, etc.
SqlClient has integrated Azure AD OAuth mechanism with SqlClient for authorizing a database connection. So, I guess SqlClient also need these parameters for establishing an connection to Azure SQL server using Azure Active Directory authentication method. But I don't see that it accepts any scope from the client application. How does SqlClient gets scope for a particular Azure SQL server instance? I see that it gets something as Federated Authentication Info from server but I don't understand it completely.
The scope required for SQL Servder Authentication access tokens is
https://database.windows.net/.defaultwhich stands for default scopes/permissions forhttps://database.windows.net/resource.Once an access token is obtained you pass it trough the SqlConnection.AccessToken property.