After reading another article on this site Azure AD Authentication (REST via JavaScript / Angular) - Experts’ Corner - Epicor User Help Forum, I see that the scope should have /user_impersonation at the end but if I don’t put in .default I get an error: client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI).
What should my scope really be? I also don’t understand the comment about changing the name of the scope in what appears to be the SSO setup. Should that have /user_impersonation on it?