diff --git a/src/cli/onefuzz/api.py b/src/cli/onefuzz/api.py
index 31779416a..549a900d7 100644
--- a/src/cli/onefuzz/api.py
+++ b/src/cli/onefuzz/api.py
@@ -1499,6 +1499,7 @@ class Onefuzz:
         client_id: Optional[str] = None,
         client_secret: Optional[str] = None,
         enable_feature: Optional[PreviewFeature] = None,
+        tenant_domain: Optional[str] = None,
     ) -> BackendConfig:
         """ Configure onefuzz CLI """
         self.logger.debug("set config")
@@ -1525,6 +1526,8 @@ class Onefuzz:
             self._backend.config.client_secret = client_secret
         if enable_feature:
             self._backend.enable_feature(enable_feature.name)
+        if tenant_domain is not None:
+            self._backend.config.tenant_domain = tenant_domain
         self._backend.app = None
         self._backend.save_config()
 
diff --git a/src/cli/onefuzz/backend.py b/src/cli/onefuzz/backend.py
index 8909990fc..784f6a46e 100644
--- a/src/cli/onefuzz/backend.py
+++ b/src/cli/onefuzz/backend.py
@@ -63,6 +63,7 @@ class BackendConfig(BaseModel):
     client_secret: Optional[str]
     endpoint: Optional[str]
     features: Set[str] = Field(default_factory=set)
+    tenant_domain: Optional[str]
 
 
 class Backend:
@@ -145,7 +146,13 @@ class Backend:
         if not self.config.endpoint:
             raise Exception("endpoint not configured")
 
-        scopes = [self.config.endpoint + "/.default"]
+        if self.config.tenant_domain:
+            endpoint = urlparse(self.config.endpoint).netloc.split(".")[0]
+            scopes = [
+                "https://" + self.config.tenant_domain + "/" + endpoint + "/.default"
+            ]
+        else:
+            scopes = [self.config.endpoint + "/.default"]
 
         if self.config.client_secret:
             return self.client_secret(scopes)