The custom directory role needs to include the permission to grant permissions to applications, as noted in the prerequisites. There appears to be a current issue with the Graph Powershell cmdlet and the 'delegated, application' permission type. These need to be included in the app consent policy in order for the user to grant the admin consent. I have reached out to the engineering team to confirm about this issue, as I am also seeing the same behavior and it doesn't appear to be documented. You need to use the following settings to grant both delegated and application consent:
New-MgPolicyPermissionGrantPolicyInclude -PermissionGrantPolicyId "Delegate-Consent-AdminPolicy" -PermissionType "delegated " -PermissionClassification "all" -ClientApplicationsFromVerifiedPublisherOnly:$false
New-MgPolicyPermissionGrantPolicyInclude -PermissionGrantPolicyId "Delegate-Consent-AdminPolicy" -PermissionType "application" -PermissionClassification "all" -ClientApplicationsFromVerifiedPublisherOnly:$false
(The current logic expects these to be granted separately, which is why you need the two separate commands.)
By design the Global admin can see an additional control on the traditional consent prompt that will allow to granting consent on behalf of the entire tenant. https://learn.microsoft.com/en-us/entra/identity-platform/application-consent-experience#common-scenarios-and-consent-experiences
When you assign the custom role, you can consent on behalf of a single user by Powershell, workflow consent, or MS Graph. For the app registration you need the additional permissions to Grant Admin consent, but these cannot be added to a custom role by design.
Users with the "microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-company-admin" permission should be able to grant admin consent on behalf of all, but it looks like this may only grant permission on behalf of the single user and there is the additional step required to grant the delegated and app permissions in the app consent policy via New-MgPolicyPermissionGrantPolicyInclude .
Let me know if this helps and I will also update this thread when I have more information from the engineering team. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-consent-permissions#granting-permissions-to-apps-on-behalf-of-all-admin-consent