diff --git a/app/src/main/java/eu/faircode/email/ServiceAuthenticator.java b/app/src/main/java/eu/faircode/email/ServiceAuthenticator.java
index 5198218220..3cb4887ab8 100644
--- a/app/src/main/java/eu/faircode/email/ServiceAuthenticator.java
+++ b/app/src/main/java/eu/faircode/email/ServiceAuthenticator.java
@@ -24,6 +24,7 @@ import static eu.faircode.email.GmailState.TYPE_GOOGLE;
 import android.accounts.AuthenticatorException;
 import android.accounts.OperationCanceledException;
 import android.content.Context;
+import android.text.TextUtils;
 
 import androidx.annotation.NonNull;
 
@@ -41,6 +42,8 @@ import org.json.JSONException;
 
 import java.io.IOException;
 import java.util.Date;
+import java.util.LinkedHashMap;
+import java.util.Map;
 import java.util.Objects;
 import java.util.concurrent.Semaphore;
 import java.util.concurrent.TimeUnit;
@@ -182,6 +185,10 @@ public class ServiceAuthenticator extends Authenticator {
             ErrorHolder holder = new ErrorHolder();
             Semaphore semaphore = new Semaphore(0);
 
+            Map<String, String> params = new LinkedHashMap<>();
+            if (provider.oauth.tokenScopes)
+                params.put("scope", TextUtils.join(" ", provider.oauth.scopes));
+
             Log.i("OAuth refresh user=" + id + ":" + user);
             AppAuthConfiguration config = new AppAuthConfiguration.Builder()
                     .setBrowserMatcher(new BrowserMatcher() {
@@ -195,6 +202,7 @@ public class ServiceAuthenticator extends Authenticator {
             authState.performActionWithFreshTokens(
                     authService,
                     clientAuth,
+                    //params,
                     new AuthState.AuthStateAction() {
                         @Override
                         public void execute(String accessToken, String idToken, AuthorizationException error) {
diff --git a/app/src/main/res/xml/providers.xml b/app/src/main/res/xml/providers.xml
index 8ed0ff448f..e4a9f742ee 100644
--- a/app/src/main/res/xml/providers.xml
+++ b/app/src/main/res/xml/providers.xml
@@ -189,7 +189,11 @@
             redirectUri="msauth.eu.faircode.email://auth"
             scopes="profile,openid,email,offline_access,https://outlook.office.com/IMAP.AccessAsUser.All,https://outlook.office.com/SMTP.Send,https://outlook.office.com/POP.AccessAsUser.All"
             tokenEndpoint="https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token"
-            tokenScopes="true" />
+            tokenScopes="true">
+            <!--parameter
+                key="domain_hint"
+                value="9188040d-6c67-4c5b-b112-36a304b66dad" /-->
+        </oauth>
         <!-- https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow -->
         <!-- https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth -->
         <!-- https://learn.microsoft.com/en-us/azure/active-directory/develop/redirect-uris-ios -->