@Roland Vaughn , If you have provided delegated permissions which doesnt not require admin consent, but while the user tries to login, it still asks the user to login with an admin account, as this is expected that this will happen to some apps, if they meet the criteria. This is documented as one of the "unexpected consent errors" here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-sign-in-unexpected-user-consent-error#requesting-not-authorized-permissions-error
- AADSTS90093: <clientAppDisplayName> is requesting one or more permissions that you are not authorized to grant. Contact an administrator, who can consent to this application on your behalf.
- AADSTS90094: <clientAppDisplayName> needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
We termed those permissions as illicit permissions and if the control in the backend identifies any of those permissions which looks illicit, it would ask the user to get an admin consent to the delegated permissions too.
That said, if this is a valid, non-malicious app we do want to make sure the developer is not blocked on this going forward. In order to get them unblocked immediately, the consent request can be sent to an admin for review and potential approval.
In this case, an audit event will also be logged with a Category of "ApplicationManagement", Activity Type of "Consent to application" and Status Reason of "Risky application detected".
We have a bug right now where the Status Reason shows up as long value, but its very obvious that it correlates to this specific behavior
the current status reason will be "Microsoft.Online.Security.UserConsentBlockedForRiskyAppsException"
This is a default behavior now for OAuth Apps seeking User Consent based on the update pushed for all the tenants as a part of the security measure.
Hope this helps.
Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.