I have the following setup:
AAD Directory A with an app registration. The app registration is marked as a Multi-Tenant app and has no permissions requested per default:
During login my webapp redirects to the Microsoft Login like this (nonce and redirect uri is removed):
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=05f0df69-2f61-4b41-91ff-31656787f9d3
&redirect_uri=https%3A%2F%2F....azurewebsites.net%2Fids%2Foidc-signin-office365auth
&response_type=code%20id_token&scope=openid%20profile%20email%20User.Read%20offline_access%20User.ReadBasic.All
&response_mode=form_post
&nonce=...
The scopes are:
- openid
- profile
- User.Read
- offline_access
- User.ReadBasic.All
My test user is in AAD Directory B (and without any special setting that only admins can consent to an application). When I try to login to my application this is the result:
The scope "User.ReadBasic.All" doesn't require a Admin consent, but somehow when I remove this requested scope the user can just login to the application without any admin consent.
Question is: Why does the admin consent show up with the "User.ReadBasic.All" scope?
The target would be, that a "normal" user can login to our application without hasseling with a tenant wide approval from the administrators. Does the "require admin consent" differ for "Multitenant" applications?