diff --git a/backend/app/services/auth_service.py b/backend/app/services/auth_service.py
index b2e3d62..464ecd4 100644
--- a/backend/app/services/auth_service.py
+++ b/backend/app/services/auth_service.py
@@ -99,12 +99,14 @@ async def verify_access_token(token: str) -> Optional[dict]:
             return None
 
         # Verify and decode the token
+        # For ID tokens with OpenID scopes, audience is the client ID
+        # and issuer uses the v2.0 endpoint
         claims = jwt.decode(
             token,
             rsa_key,
             algorithms=["RS256"],
-            audience=f"api://{settings.AZURE_CLIENT_ID}",
-            issuer=f"https://sts.windows.net/{settings.AZURE_TENANT_ID}/",
+            audience=settings.AZURE_CLIENT_ID,
+            issuer=f"https://login.microsoftonline.com/{settings.AZURE_TENANT_ID}/v2.0",
         )
 
         logger.info(f"Token verified for user: {claims.get('name', 'unknown')}")
diff --git a/frontend/services/authConfig.ts b/frontend/services/authConfig.ts
index 0f2ef94..82c846e 100644
--- a/frontend/services/authConfig.ts
+++ b/frontend/services/authConfig.ts
@@ -41,12 +41,12 @@ export const msalConfig: Configuration = {
 };
 
 // Scopes for the access token
-// Using .default for single-tenant apps to get all configured API permissions
+// Using basic OpenID scopes for authentication
 export const loginRequest: PopupRequest = {
-    scopes: [`api://${import.meta.env.VITE_AZURE_CLIENT_ID || ''}/.default`],
+    scopes: ['openid', 'profile', 'email'],
 };
 
 // Scopes for API calls (same as login for this app)
 export const apiTokenRequest = {
-    scopes: [`api://${import.meta.env.VITE_AZURE_CLIENT_ID || ''}/.default`],
+    scopes: ['openid', 'profile', 'email'],
 };