Each button below triggers a sign-in against a different app registration in a demo tenant. The apps do nothing with the tokens they receive — this lab exists so you can see what each consent prompt looks like, and inspect the claims you just handed out.
Requests User.Read and the standard OpenID scopes.
Classified as low impact. Any user should be able to consent without
involving an administrator, assuming classifications are set up.
Requests Directory.Read.All (delegated). Users cannot grant this —
they'll be bounced into the admin consent workflow. But note: the actual
data exposure is limited to what the signed-in user can already see.
Admin consent required ≠ high risk.
Requests mail, file, and site read/write. This is what a genuinely alarming prompt looks like. In a real tenant, approving this without scrutiny would be a mistake. The lesson: read the scope list every time — not just the app name.
—
—