![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 90%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDM%3C/text%3E%3C/svg%3E)
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,920 questions
Hi
I tried with two accounts and two different Entra applications.
The first one was without MFA and previously used by the registered application and API permission was granted. Yes, it gives all consent granted before even if permission was deleted.
The second account has not been used before by a registered application(same app as 1st) and the token does not contain extra scopes.
The third test case was a new application on Entra with an account without MFA. When I tried to get the token "openid" scope(which by default was granted) it required admin consent to use this application.
Overall, I can say that it might be a cache or misconfiguration. You can try later will it permits you even after deletion or admin consent for this application should be revoked.