Sign ins requests are using Microsoft Graph as a resource while not requested

Describe the bug Our application is a B2B application, our customers are large companies, they use Microsoft as an identity provider for their employees.

Our application is using the latest version of the MSAL library to let employees authenticate with their Microsoft account, we then provide the access token to our backend so the user can be authenticated within our product. After that, we don’t use the MSAL SDK or the access token to do anything from the mobile app. We don’t even need to refresh the token. We provide the scope openid (the default scopes profile and offline_access are then added to our sign in request by the MSAL Library via the common library).

This works fine for most customers. Except we have some customers who are blocking Microsoft Graph resource from being used and that prevent their employees to connect. When looking at our sign in requests, we’ve found out that Microsoft Graph is used a resource in our sign in requests while we didn’t request it or used anything that could lead to that.

We tried to use the sample and remove the call to Microsoft Graph, sign in requests to the Azure application configured in the sample are also recognised as using Microsoft Graph API, when putting our configuration in the manifest and the json configuration we also still have the resource Microsoft Graph API used… Our customers can’t sign in…

This issue is happening on the MSAL Library for objective C as well.

We think that the MSAL library is doing something that make it use the Microsoft Graph API, do you have any information about that? Is it normal? Is it possible to disable that on our side?

Smartphone (please complete the following information):

• Device: any devices
• Android Version: from API Level 23 to 30
• Browser: tested with Chrome & Edge as default browser
• MSAL Version: latest version (2.0.6)

To Reproduce Steps to reproduce the behavior:

1. Use the provided sample project: ms-identity-android-kotlin-master-edited.zip (it is the official Kotlin sample project but with the openid scope forced and the call to graphApi disabled.
2. Sign in with any Microsoft account
3. Go to the administration
4. Find you user
5. Go to Sign-ins
6. Check that the sign-in request is using the Microsoft Graph API as a resource

Expected behavior Sign-ins with MSAL library that don’t use Microsoft Graph API directly shouldn’t use Microsoft Graph API.

Actual Behavior Any sign-ins with MSAL library that use Microsoft Graph API as a resource.

Screenshots The sign in request that use Microsoft Graph: