Dynamics CRM 2016 authentication scope

I am having issues authenticating a user with Azure to work with a CRM2016 on Premise instance. A token is created, but doesn't actually grant permission to access anything, I get 401s or error page html depending on the specifics of the token generation request when making subsequent calls with the token.

While I'm looking at other possible problems, this struck me as odd in the return body of the token generation request.

{"token_type":"Bearer","scope":"User.Read","expires_in":"3599","ext_expires_in":"0","expires_on":"1507718481","not_before":"1507714581","resource":"<snip>","access_token": "<snip"}

The scope value seems to be implying that the only access I've been given is to read the user's profile. Am I reading that right?

If so how would I go about fixing that? All the documentation I read implies that being authenticated as a user gives you all their permissions. Would this be some kind of conflict between the user's permissions on the Azure instance and the CRM? (I'm new to Microsofts business applications, I'm not certain how users are shared between the two).