What is the expected default or Microsoft recommended Admin Consent policy?

Question

I am trying to create a multitenant supporting client program that allows sending Teams chat or channel messages to channels or chats a user is a member of. For that I need various Microsoft Graph delegated permission scopes such as:

• Channel.ReadBasic.All
• Team.ReadBasic.All
• ChatMessage.Send

For these basic permissions, however, despite them being listed as "Admin Consent Required = No", a user is still prompted for Admin Consent. The app is also a Verified Publisher. I believe this is because the settings for our local tenant are "Allow user consent for apps from verified publishers, for selected permissions"... and the only permissions listed there are profile, email, openid, and User.Read. See: https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/publisher-verification-and-app-consent-policies-are-now/ba-p/1257374

My questions are:

• Is that indeed the expected behavior for that consent policy?
• Is this the default and/or Microsoft recommended consent policy for tenants? What can most admins/users expect to see?

Answer 1

Hi @Hill, Tim,

can you please check if the issue is related with Do not allow user consent tab in the Consent and permissions, all applications must require the administrator’s consent. please check and follow the below steps:

For more information please refer: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?pivots=portal#configure-user-consent-settings

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".