I recently revoked admin consent for the Enterprise app 'Apple Internet Accounts', which is required to configure Exchange email accounts on iOS natively. The idea was to have all users consent to permissions themselves rather than give the app access to all users mailboxes, whether they are using iOS or not. However, I'm now receiving approvals to consent as admin.
This is because one of the permissions is not considered 'low impact': "Access mailboxes as the signed-in user via Exchange Web Services".
This is correctly requiring admin consent because of my user consent settings are set to only allow users to consent to verified apps classified as low impact.
What's the correct move here? I want any user to be able to consent to this app, but I don't want to change the impact classification for this permission across all apps tenant wide.