I recently tried to reproduce the issue to provide a guideline how to configure Azure AD to allow the user to consent on their to using the Dynatrace application and thus being able to log in through "Sign in with Microsoft". It seems that the Azure administrator has to change the "Enterprise applications" -> "Consent and permissions" to "Allow user consent for apps from verified publishers". We have made sure that our application is verified, so this option applies.

Then, we require the following "low impact" API permissions to be allowed to be constented to by users:

- offline_access

- openid

- profile

- email

They are required, because Dynatrace SSO has to be able to access basic information about the user, who is logged in to Azure to create a session in Dynatrace as well.

Once the permissions are configured, this is how the "Consent and permissions" screen would look like.

This should allow all users from your Azure tenant to log in and instead of "Need admin approval", there should be a message that shows the "Permissions requested" and an "Accept" button, which would finalize the login in Dynatrace SSO.

Note that this consent screen is shown only once for each user, who decides to access Dynatrace through the "Sign in with Microsoft" option.

As far as I was able to figure out in Azure, the consent and API permission options cannot be set per application (e.g. only for Dynatrace), but apply either to all verified applications or the constent has to be approved by the admin. I would suggest to contact Azure's support directly, if the organization cannot agree to set it up as proposed above, to get the any possible alternative solutions.