I would like to have the option to use the Microsoft 365 channel with disabled user consent in Azure AD.
It is recommended security best practice from Microsoft to disable user consent in Azure AD to prevent OAuth2 phishing, but currently using only admin consent will not work, because the call to the /authorize endpoint explicitly uses prompt=consent.
It should be possible to set a configuration option to switch between the two modes.
Depending on the configuration option the request in lib/external_credential/microsoft365.rb needs to be either “consent” (for user consent) or “select_account” for admin consent (with disabled user consennt). Currently it is hard-coded to “consent”.