diff --git a/backend/imap-idle/index.mjs b/backend/imap-idle/index.mjs
index 82ce72f..8c5bef5 100644
--- a/backend/imap-idle/index.mjs
+++ b/backend/imap-idle/index.mjs
@@ -173,11 +173,16 @@ function encrypt(plaintext) {
 const MS_TOKEN_ENDPOINT =
   "https://login.microsoftonline.com/common/oauth2/v2.0/token";
 
+// MUSS identisch zu backend/server/utils/ms-oauth.ts MS_OAUTH_SCOPES sein.
+// Microsoft V2.0 erlaubt im /token-Exchange nur Scopes EINES Resource-Servers
+// — `User.Read` (graph.microsoft.com) mit `IMAP.AccessAsUser.All`
+// (outlook.office.com) wirft AADSTS70011. `email` ist ein OIDC-Standard-Scope
+// und damit cross-resource-kompatibel; liefert den email-Claim ins id_token.
 const MS_OAUTH_SCOPES = [
   "https://outlook.office.com/IMAP.AccessAsUser.All",
   "offline_access",
   "openid",
-  "User.Read",
+  "email",
 ].join(" ");
 
 /**