msgraph-cli AzureAD App is not in first-party tenant

[AtOMiCNebula]

Describe the bug I'm trying to use mg login on v0.1.3, and am still seeing issues logging in with various scopes. I can request User.Read and log in successfully, but requesting Directory.AccessAsUser.All fails with "Need admin approval". I see #59 calling out issues about the AzureAD app being created in the wrong tenant, but it still looks to me to not be correct here (as a MSFT employee, I can see the app is in CORP tenant, not first-party).

To Reproduce Steps to reproduce the behavior:

1. mg login --scopes "User.Read,Directory.AccessAsUser.All"
2. Try to log in via browser.
3. Get sent to "Need admin approval" dialog

Expected behavior Successfully logged in with requested scopes.

Screenshots

Additional context Why do I even have to specify what scopes I want at login time, and why can't the CLI just handle this automatically? Azure CLI, the thing you're based on, doesn't require anything like this, we just log in to it. AB#9800

[darrelmiller]

@AtOMiCNebula The MS Graph CLI is registered as a 3rd party application to enable incremental consent. Incremental consent is essential for a horizontal tool such as this because of the wide range of data that is can access. Use of this tool against the Microsoft production tenant will be very limited because MSIT needs to approve scopes. We have the same challenges in Microsoft Graph PowerShell SDK.

Azure CLI doesn't have the same requirement to consent applications because Azure doesn't use permission scopes in the same way that Microsoft Graph does because Azure APIs generally don't provide access to M365 user data.