diff --git a/pkg/scopes/scopes.go b/pkg/scopes/scopes.go
new file mode 100644
index 0000000..4c5a4bb
--- /dev/null
+++ b/pkg/scopes/scopes.go
@@ -0,0 +1,29 @@
+package scopes
+
+import (
+	"fmt"
+	"strings"
+)
+
+const (
+	OpenID           = "openid"
+	AzureAPITemplate = "api://%s/.default"
+)
+
+type Scopes []string
+
+func (s Scopes) String() string {
+	return strings.Join(s, " ")
+}
+
+func (s Scopes) WithAdditional(scopes ...string) Scopes {
+	return append(s, scopes...)
+}
+
+func (s Scopes) WithAzureScope(clientID string) Scopes {
+	return append(s, fmt.Sprintf(AzureAPITemplate, clientID))
+}
+
+func Defaults() Scopes {
+	return []string{OpenID}
+}
diff --git a/pkg/token/token.go b/pkg/token/token.go
index a8d8baa..5ae75f0 100644
--- a/pkg/token/token.go
+++ b/pkg/token/token.go
@@ -8,8 +8,6 @@ import (
 	"golang.org/x/oauth2"
 )
 
-const ScopeOpenID = "openid"
-
 type IDToken struct {
 	Raw   string
 	Token jwt.Token