Question: Clarification on communicating with multiple APIs and OBO tokens (esp. management.azure.com)

Context I’m successfully using MSAL to authenticate users against an AD app in an Azure AD

I have a CCA talking to https://login.microsoftonline.com/<tenant> and performing AcquireTokenOnBehalfOfAsync, giving me valid OBO token which works as authorization against graph.windows.net

Note Some of this question may be better aimed at the Azure team but I hope I can get some response as to whether my expectations are correct

Question My goal is to use an OBO token to communicate with the Azure resource graph via management.azure.com

In the Azure portal I can add Azure management API user_impersonation as a scope to my application like so:

This is desirable because I want to be able to talk to management.azure.com

What I do not understand is how to actually consume this API

• The portal divides scopes by API, and I’m not sure what this actually means. For example, when acquiring an OBO token, I cannot just add user_impersonation as a scope since it does not work
• Should I be using an additional CCA to establish communication with management.azure.com? (wherein user_impersonation will be an acceptable scope?)
• Am I correct in assuming that OBO tokens (or any tokens for that matter) are scoped by API?

Additionally:

• Is user_impersonation really what I want in this instance? This permission is in preview and the documentation doesn’t really explain a lot about it. Is it a good thing to be using or is it, for example, in preview because it’s a legacy compatibility measure or something?

TLDR How do I use MSAL to get valid tokens across multiple APIs (e.g. management.azure.com especially) and how does OBO work in this situation? Are OBO tokens API scoped?