You have correctly identified the issue here, the "assignment" functionality currently clashes with consent requirements. Microsoft is aware of this and will likely address it in a future update.
This app requires your admin's approval to
Hello.
I have a similar problem like many people have when using App Registrations and Enterprise Apps: The login fails with a message requiring admin, even though you have things configured that a user should be able to consent
My settings all indicate that no admin consent should be needed.
- The Tenant is configured to allow users to consent for verified publishers, for selected permissions.
- The Microsoft Graph Scopes for various permissions are classified as low.
- My App Registration and Enterprise App are both in the same tenant defining those settings above.
- My App Registration defines various pemissions as delegated and no consent required.
- The Enterprise App has "Assignment required?" set to "Yes" as only selected users should have access.
- The Enterprise App has users and groups assigned with the "Default Access" (users directly in groups)
- The software triggering the login uses ASP.net core with OpenID using following settings:
- Metadata Address: OpenID Connect metadata document as per Endpoints on the App Registration
- ClientID: As shown in the Application (client) ID of the App registration
- Client Secret: Added under Certificates & secrets
- Authentication: HTTPS URI of the app added under Web > Redirect URIs
- Response Type: code
- Response Mode: query
- Scopes: openid profile
The users can consent themselves if "Assignment required?" is set to "No". But IMO that settings shouldn't influence the consent check. I want users to consent themselves assuming they are granted access by assigning them via users and groups.
After login via "Assignment required? No" I see the User consent:
I technically could add an own API scope and implement further authorizations in my app. But this feels double the effort.
What am I missing here?
Kind Regards
Daniel