Azure AD Consent when adding a permission requiring Admin consent

Question

I have a Desktop application using ADAL to authenticate to a multi-tenanted Azure AD v1 application.

Version 1 of my application only required delegated permissions that didn't require Admin consent:

• Microsoft Graph - sign in and read user profile
• Skype for Business online - Create skype meetings

Version 2 now requires an additional permission, which requires Admin consent:

• Microsoft Graph - Access directory as the signed in user

I've updated the Azure AD app with this permission, and granted admin consent through the Azure AD portal using an admin user homed in the same tenant as the application.

Signing in as a non-admin user who had already consented to the Version 1 permission set (also homed in the same tenant as the application), I don't see the new permission in the "scp" property of the access token I receive - so I'm assuming this means I haven't been given the new permission.

I then try and re-consent as the user, using "prompt=consent", but receive

AADSTS90094: The grant requires admin permission

Implying that admin consent has not been set - although the portal is reporting that it has been set.

From all that i've read, it looks like this should work just fine, so I'm struggling to see what's going wrong. How can I get this working?

Answer 1

I think this is a configuration issue. First, check that your permission type is following the 'as an application' flow.

The clue here is how you described your permission: " Access directory as the signed in user"

That sounds to me like the 'on behalf of' flow, not the 'as an application' flow.