diff --git a/Cargo.toml b/Cargo.toml
index 3cb7dbd..2a3ca79 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -39,7 +39,7 @@ tracing-subscriber = "^0.3.17"
 tracing = "^0.1.37"
 himmelblau_unix_common = { path = "src/common" }
 kanidm_unix_common = { path = "src/glue" }
-libhimmelblau = { version = "0.3.5" }
+libhimmelblau = { version = "0.3.6" }
 clap = { version = "^4.5", features = ["derive", "env"] }
 clap_complete = "^4.4.1"
 reqwest = { version = "^0.12.2", features = ["json"] }
diff --git a/src/common/src/idprovider/himmelblau.rs b/src/common/src/idprovider/himmelblau.rs
index e8daf09..abbe4d8 100644
--- a/src/common/src/idprovider/himmelblau.rs
+++ b/src/common/src/idprovider/himmelblau.rs
@@ -604,7 +604,7 @@ impl IdProvider for HimmelblauProvider {
             .await
             .exchange_prt_for_access_token(
                 &prt,
-                vec!["User.Read"],
+                vec![],
                 Some("https://graph.microsoft.com".to_string()),
                 tpm,
                 machine_key,
@@ -687,7 +687,7 @@ impl IdProvider for HimmelblauProvider {
                     .await
                     .acquire_token_by_refresh_token(
                         &$token.refresh_token,
-                        vec!["User.Read"],
+                        vec![],
                         Some("https://graph.microsoft.com".to_string()),
                         tpm,
                         machine_key,
@@ -711,7 +711,7 @@ impl IdProvider for HimmelblauProvider {
                                         .await
                                         .acquire_token_by_refresh_token(
                                             &$token.refresh_token,
-                                            vec!["User.Read"],
+                                            vec![],
                                             Some("https://graph.microsoft.com".to_string()),
                                             tpm,
                                             machine_key,
@@ -740,7 +740,7 @@ impl IdProvider for HimmelblauProvider {
                     .acquire_token_by_hello_for_business_key(
                         account_id,
                         &$hello_key,
-                        vec!["User.Read"],
+                        vec![],
                         Some("https://graph.microsoft.com".to_string()),
                         tpm,
                         machine_key,
diff --git a/src/daemon/src/broker.rs b/src/daemon/src/broker.rs
index e0874d9..68d71e6 100644
--- a/src/daemon/src/broker.rs
+++ b/src/daemon/src/broker.rs
@@ -89,10 +89,9 @@ impl HimmelblauBroker for Broker {
         if request.account.username.to_lowercase() != user.spn.to_lowercase() {
             return Err("Invalid request for user!".into());
         }
-        let scopes = vec![];
         let token = self
             .cachelayer
-            .get_user_accesstoken(Id::Name(user.spn), scopes)
+            .get_user_accesstoken(Id::Name(user.spn), request.auth_parameters.requested_scopes)
             .await
             .ok_or("Failed to authenticate user")?;
         let now = SystemTime::now()