Auto_approve_email_domains still showing login.wait_approval screen

I have configured out hosted instance to auto approve users who first login using Office365 from an internal account and this in itself works fine and works for returning users, but on sign-up/first login they are still presented with the login.wait_approval message, which has confused some as there was no further approval email or notice sent to us admins and going through login again worked fine as expected.

I am going to update the text to hint to new users that if they are internal then they should just login again, but it feels wrong.

Is this something that could change so that an auto-approved account just drops through to the main home screen?

I don’t think this is the expected behaviour. My understanding is that if the must approve users setting is enabled, and a user registers on the site with an email domain that has been added to the auto approve email domains site setting, the user should be automatically logged into the site. The wait_approval message should not be displayed for these users.

Do you know how the users are registering on the site? I’m wondering if the issue is related to the users signing up for the site via a social login method. When I test this on my own site with username/password registration it is working in the way I expect it to and the approval message is not displayed to the users.

I added my personal domain to the approved list for testing. The four external auth methods so far configured - Facebook, Github, LinkedIn and Office365 - all gave the same result, as above.

Signing up manually resulted in a requirement to validate my email which went as expected and that logged me in. I want to avoid this step if possible.

External auth methods pass in a trusted email address and don’t require validation, which is what I wanted - but they present the unwanted (and incorrect) awaiting approval screen.

I have read through all the config options I can find and only “auth_immediately” sounds related but that says it only applies if there is exactly one external auth method.

I should note that this is not critical - the problem only applies to internal users while we set-up and then we will remove the approval requirement for external users anyway. It’s more an annoyance.