Fix steps in parameter description

The parameter descriptions should refer to the ones obtained in the previous, first, step instead of referring to the current, second, step.

Author: ferDMS

concepts/auth-v2-user.md

@@ -153,9 +153,9 @@ curl --location --request POST 'https://login.microsoftonline.com/{tenant}/oauth
 | tenant        | Required              | The `{tenant}` value in the path of the request can be used to control who can sign into the application. The allowed values are: <br><li>`common` for both Microsoft accounts and work or school accounts <li>`organizations` for work or school accounts only <li>`consumers` for Microsoft accounts only <li>tenant identifiers such as the tenant ID or domain name. <br/>For more information, see [protocol basics](/azure/active-directory/develop/active-directory-v2-protocols#endpoints). |
 | client_id     | Required              | The Application (client) ID that the [registration portal](https://go.microsoft.com/fwlink/?linkid=2083908) assigned the app. Also referred to as **appId** in the Microsoft Graph application and service principal object.                                                                                                                                                                                                                                                                                                                                                                                |
 | grant_type    | Required              | Must be `authorization_code` for the authorization code flow.                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| scope         | Required              | A space-separated list of scopes. The scopes that your app requests in this leg must be equivalent to or a subset of the scopes that it requested in the authorization leg in Step 2. If the scopes specified in this request span multiple resource servers, then the v2.0 endpoint returns a token for the resource specified in the first scope.                                                                                                                                                                   |
-| code          | Required              | The authorization **code** that you acquired in the authorization leg in Step 2.                                                                                                                                                                                                                                                                                                                                                                                                                               |
-| redirect_uri  | Required              | The same redirect URI value that was used to acquire the authorization **code** in Step 2.                                                                                                                                                                                                                                                                                                                                                                                                                         |
+| scope         | Required              | A space-separated list of scopes. The scopes that your app requests in this leg must be equivalent to or a subset of the scopes that it requested in the authorization leg in Step 1. If the scopes specified in this request span multiple resource servers, then the v2.0 endpoint returns a token for the resource specified in the first scope.                                                                                                                                                                   |
+| code          | Required              | The authorization **code** that you acquired in the authorization leg in Step 1.                                                                                                                                                                                                                                                                                                                                                                                                                               |
+| redirect_uri  | Required              | The same redirect URI value that was used to acquire the authorization **code** in Step 1.                                                                                                                                                                                                                                                                                                                                                                                                                         |
 | client_secret | Required for web apps | The client secret that you created in the app registration portal for your app. It shouldn't be used in a native app, because client secrets can't be reliably stored on devices. It's required for web apps and web APIs, which have the ability to store the client_secret securely on the server side.                                                                                                                                                                                  |
 
 ### Token response