diff --git a/modules/apigee_edge_teams/apigee_edge_teams.services.yml b/modules/apigee_edge_teams/apigee_edge_teams.services.yml
index 638c85406..ef4cabc43 100644
--- a/modules/apigee_edge_teams/apigee_edge_teams.services.yml
+++ b/modules/apigee_edge_teams/apigee_edge_teams.services.yml
@@ -157,3 +157,7 @@ services:
     class: Drupal\apigee_edge_teams\User\RemoveTeamRolesOfUserSynchronousPostUserDeleteActionPerformer
     decorates: apigee_edge.post_user_delete_action_performer
     arguments: [ '@apigee_edge_teams.post_user_delete_action_performer.inner', '@entity_type.manager', '@logger.channel.apigee_edge_teams' ]
+
+  apigee_edge_teams.app_group_scope_manager:
+    class: Drupal\apigee_edge_teams\Service\AppGroupScopeManager
+    arguments: ['@apigee_edge.sdk_connector', '@apigee_edge.controller.organization']
diff --git a/modules/apigee_edge_teams/src/Service/AppGroupScopeManager.php b/modules/apigee_edge_teams/src/Service/AppGroupScopeManager.php
new file mode 100644
index 000000000..357287e96
--- /dev/null
+++ b/modules/apigee_edge_teams/src/Service/AppGroupScopeManager.php
@@ -0,0 +1,83 @@
+<?php
+
+/**
+ * Copyright 2025 Google Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * version 2 as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301, USA.
+ */
+
+namespace Drupal\apigee_edge_teams\Service;
+
+use Drupal\apigee_edge\Entity\Controller\OrganizationControllerInterface;
+use Drupal\apigee_edge\SDKConnectorInterface;
+use Apigee\Edge\Api\ApigeeX\Controller\AppGroupAppCredentialController;
+use Apigee\Edge\Api\Management\Entity\AppCredentialInterface;
+
+/**
+ * Handles AppGroup scopes after API products have been added to a credential.
+ */
+class AppGroupScopeManager {
+
+  /**
+   * The SDK connector.
+   *
+   * @var \Drupal\apigee_edge\SDKConnectorInterface
+   */
+  protected $sdkConnector;
+
+  /**
+   * The organization controller.
+   *
+   * @var \Drupal\apigee_edge\Entity\Controller\OrganizationControllerInterface
+   */
+  protected $organizationController;
+
+  /**
+   * AppGroupScopeManager constructor.
+   *
+   * @param \Drupal\apigee_edge\SDKConnectorInterface $sdkConnector
+   *   The SDK connector.
+   * @param \Drupal\apigee_edge\Entity\Controller\OrganizationControllerInterface $organizationController
+   *   The organization controller.
+   */
+  public function __construct(SDKConnectorInterface $sdkConnector, OrganizationControllerInterface $organizationController) {
+    $this->sdkConnector = $sdkConnector;
+    $this->organizationController = $organizationController;
+  }
+
+  /**
+   * Overrides AppGroup scopes if necessary.
+   *
+   * @param array $originalScopes
+   *   The original scopes.
+   * @param \Apigee\Edge\Api\Management\Entity\AppCredentialInterface $credential
+   *   The credential.
+   * @param string $ownerId
+   *   The owner id.
+   * @param string $appName
+   *   The app name.
+   */
+  public function overrideScopes(array $originalScopes, AppCredentialInterface $credential, string $ownerId, string $appName): void {
+    if (!$this->organizationController->isOrganizationApigeeX()) {
+      return;
+    }
+
+    $client = $this->sdkConnector->getClient();
+    $organization = $this->sdkConnector->getOrganization();
+    $controller = new AppGroupAppCredentialController($organization, $ownerId, $appName, $client);
+    $controller->overrideAppGroupScopes($credential->getConsumerKey(), $originalScopes);
+  }
+
+}
diff --git a/src/Entity/Controller/AppCredentialControllerBase.php b/src/Entity/Controller/AppCredentialControllerBase.php
index 804a21e71..addd769f9 100644
--- a/src/Entity/Controller/AppCredentialControllerBase.php
+++ b/src/Entity/Controller/AppCredentialControllerBase.php
@@ -116,7 +116,17 @@ public function __construct(string $owner, string $app_name, SDKConnectorInterfa
    * {@inheritdoc}
    */
   public function addProducts(string $consumer_key, array $api_products): AppCredentialInterface {
+    // Keep the original scopes from before the products are added.
+    $originalScopes = [];
+    if ($this->getAppType() === 'team') {
+      $originalScopes = $this->load($consumer_key)->getScopes();
+    }
     $credential = $this->decorated()->addProducts($consumer_key, $api_products);
+    if ($this->getAppType() === 'team' && !empty($originalScopes) && \Drupal::hasService('apigee_edge_teams.app_group_scope_manager')) {
+      $app_group_scope_manager = \Drupal::service('apigee_edge_teams.app_group_scope_manager');
+      $app_group_scope_manager->overrideScopes($originalScopes, $credential, $this->owner, $this->appName);
+    }
+
     $this->eventDispatcher->dispatch(
       new AppCredentialAddApiProductEvent($this->getAppType(), $this->owner, $this->appName, $credential, $api_products),
       AppCredentialAddApiProductEvent::EVENT_NAME