I'm really hoping someone can explain why admin consent is required in our situation and, if possible, how we can avoid it. The following is a simplified version of our normal application in which I was able to reproduce the issue.
I control two tenants: T1, used for development and where all app registrations/resources live. And tenant T2, where I have control over all user settings and which we use for testing multi-tenancy.
In T1 I've registered two app registration named 'app-frontend' and 'app-api'. Both have a required permission on User.Read on Graph. In addition app-api exposes an (admin and users) scope that is set as a required permission for app-frontend. App-frontend is also registered as known client application on app-api.
Now the behavior we would expect is that when a first time user requests a token for app-frontend, they are requested for consent and given a token after accepting. For any non-admin account this results in a 'Need admin approval' error though when testing with users from T2. When the required permission from app-frontend to app-api is removed, consent works fine for non-admin users.
I've gone through a number of answers on here to try and figure out why admin consent seems to be required here, but none of the suggested answers/reasons seem to apply in our case. To summarize:
- The setting 'Users can register applications' is on in T2.
- The setting 'Users can consent to apps accessing company data on their behalf' is on in T2.
- User assignment is not required (for either app registration).
- No other permissions are required by either app registration (so no application permissions are involved).
- The problem appears for requests to both the v1 and v2 endpoints.
Most of these I would expect to also cause admin consent to be required when the only permission on app-frontend is User.Read, but the problem only appears when the required permission to the scope from app-api is present.
If any other info is required I would be happy to provide it, I've been stuck on figuring this out for quite a bit now.
Update: Screenshots of the app permissions set on both registrations.
Front end app registration: Front end app registration
Api app registration: Api app registration