diff --git a/CHANGELOG.md b/CHANGELOG.md
index 41c4b52d6..30fee6fb9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,6 @@
 Unreleased
 ----------
+* Move covered scopes check into user access strategy [#1600](https://github.com/Shopify/shopify_app/pull/1600)
 * Add configuration option for user access strategy [#1599](https://github.com/Shopify/shopify_app/pull/1599)
 * Fixes a bug with `EnsureAuthenticatedLinks` causing deep links to not work [#1549](https://github.com/Shopify/shopify_app/pull/1549)
 * Ensure online token is properly used when using `current_shopify_session` [#1566](https://github.com/Shopify/shopify_app/pull/1566)
diff --git a/lib/shopify_app/access_scopes/noop_strategy.rb b/lib/shopify_app/access_scopes/noop_strategy.rb
index 4001d8ba3..1281e2c36 100644
--- a/lib/shopify_app/access_scopes/noop_strategy.rb
+++ b/lib/shopify_app/access_scopes/noop_strategy.rb
@@ -7,6 +7,10 @@ class << self
         def update_access_scopes?(*_args)
           false
         end
+
+        def covers_scopes?(*_args)
+          true
+        end
       end
     end
   end
diff --git a/lib/shopify_app/access_scopes/user_strategy.rb b/lib/shopify_app/access_scopes/user_strategy.rb
index e8e0a19f5..18b23ac4a 100644
--- a/lib/shopify_app/access_scopes/user_strategy.rb
+++ b/lib/shopify_app/access_scopes/user_strategy.rb
@@ -12,6 +12,11 @@ def update_access_scopes?(user_id: nil, shopify_user_id: nil)
             "#update_access_scopes? requires user_id or shopify_user_id parameter inputs")
         end
 
+        def covers_scopes?(current_shopify_session)
+          # NOTE: this not Ruby's `covers?` method, it is defined in ShopifyAPI::Auth::AuthScopes
+          current_shopify_session.scope.to_a.empty? || current_shopify_session.scope.covers?(ShopifyAPI::Context.scope)
+        end
+
         private
 
         def update_access_scopes_for_user_id?(user_id)
diff --git a/lib/shopify_app/controller_concerns/login_protection.rb b/lib/shopify_app/controller_concerns/login_protection.rb
index bcd17e61c..bb55b481d 100644
--- a/lib/shopify_app/controller_concerns/login_protection.rb
+++ b/lib/shopify_app/controller_concerns/login_protection.rb
@@ -29,9 +29,7 @@ def activate_shopify_session
         return redirect_to_login
       end
 
-      unless current_shopify_session.scope.to_a.empty? ||
-          current_shopify_session.scope.covers?(ShopifyAPI::Context.scope)
-
+      unless ShopifyApp.configuration.user_access_scopes_strategy.covers_scopes?(current_shopify_session)
         clear_shopify_session
         return redirect_to_login
       end