Explain alternative scope values for O365 via regional providers

emailproxy.config

@@ -109,6 +109,13 @@ documentation = Accounts are specified using your email address as the section h
 	in the example below) in order to allow the proxy to refresh its access token on your behalf. The proxy will still
 	work if this parameter is not included, but you will need to re-authenticate extremely often (about once per hour).
 
+	- The example Office 365 configuration entries below use an OAuth 2.0 scope that clearly specifies IMAP, POP and
+	SMTP permission. If you do not require one or more of these protocols, you may remove the relevant values to ensure
+	the access tokens obtained on your behalf are as precisely-targeted as possible. Conversely, it is also possible to
+	replace these specific scopes with the more generic `https://outlook.office365.com/.default`. Switching to a broader
+	scope value may also be needed if you are using a version of O365 delivered by a regional provider (e.g., 21Vianet).
+	See: https://github.com/simonrob/email-oauth2-proxy/issues/255 for more details and discussion.
+
 	- By default, new Entra (Azure AD) clients are accessible only within your own tenant. If you are registering a new
 	client to use with the proxy (and do not want to make it available outside your own organisation) you will need to
 	replace `common` with your tenant ID in the Office 365 `permission_url` and `token_url` values below. Alternatively,