We would like to use Azure AD as our authentication and authorization framework for all APIs, however, one issue we believe we have run into is the requirement that an Administrator must approve all Application only requests (vs the expected below).

Scenario

Our company has two app registrations
- Business API 1
- Scope: Feature.Critical (application role)
- Business API 2

Business API 2 requests Application only Feature.Critical permission of Business API 1.

Expected Result

The Azure AD App Owner(s) of Business API 1 are the SMEs for this permission knowing best what data and functionality may be released. The App Owner(s) should be able to manage the permission of its consumers and approve or deny the request from Business API 2.