diff --git a/backend/open_webui/utils/oauth.py b/backend/open_webui/utils/oauth.py
index e8527fce4b..9a35e30c3f 100644
--- a/backend/open_webui/utils/oauth.py
+++ b/backend/open_webui/utils/oauth.py
@@ -513,10 +513,12 @@ async def get_oauth_client_info_with_static_credentials(
                             log.error(f'Error parsing OAuth metadata from {url}: {e}')
                             continue
 
-        # Determine scope from server metadata if available
+        # Let the OAuth provider apply its default scopes.
+        # We intentionally do NOT join all scopes_supported here — that list
+        # represents every scope the server *can* grant, not what the client
+        # should request.  Requesting all of them is almost always wrong and
+        # can break providers like Entra ID that require resource-specific scopes.
         scope = None
-        if oauth_server_metadata and oauth_server_metadata.scopes_supported:
-            scope = ' '.join(oauth_server_metadata.scopes_supported)
 
         # Determine token_endpoint_auth_method
         token_endpoint_auth_method = 'client_secret_post'