Bypass external organization IT admin approval for MS Entra openId-connect Muti tenanted Application

Question

I have an application using MS Entra authentication using OpenIdConnect . Its deployed on Azure. My Azure App is configured as multi tenanted [Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)]. I do not have any Toekn configurations. API permission is User.Read.

When external users trying to login using their SSO , they are prompted with Approval Request. Is there anyway to stop the admin approval and (may be self approval) proceed to my application?

AzureSettings

"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"TenantId": "organizations",
"ClientId": " - - - - ",
"ClientSecret": " ~ ",
"Domain": "domain.onmicrosoft.com",
"CallbackPath": "/signin-azuread-oidc"

},

If I add the external users as guest to my Azure AD then it appears to be ok but I'm looking for other options

Answer 1

Initially, I registered one multi-tenant application and granted User.Read permission of Delegated type as below:

When I tried to login with user account from different tenant (external user), I too got "Approval required" screen as below:

This happens if the admin of external user tenant enabled below option in Enterprise Applications tab:

To stop "Approval required" screen, you need to disable above option in external user organization logging as Admin user like this:

If you want the user to self-approve the consent screen and proceed to application, make sure to enable below option in external user organization:

When I tried to login again with external user account now, I got consent screen to accept as below without asking for justification:

Reference: Microsoft Social Login Approval Required Popup - Stack Overflow by me