We have an app in Azure AD that uses the Microsoft Graph API. The app is working successfully using 4 basic permissions: email, profile User.Read User.ReadBasic.All
These permissions let normal users(non-admins) OAuth authenticate into our app.
We are now building a feature for admin users that lets them see their groups. The groups scope requires admin consent as per: http://graph.microsoft.io/en-us/docs/authorization/permission_scopes
The sticky point is that if I add the Group.Read.All permission under delegated permissions in Azure AD, this causes normal users to be able to login with the dreaded error "AADSTS90093: Calling principal cannot consent due to lack of permissions".
I have tried manually crafting OAuth authorize urls that explicitly request the scope, but that did not work either. Here is a sample url I used:
https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&redirect_uri=https%3A%2F%2Fl.xxxxxx.com%3A50000%2Fauth%2Fmicrosoft_graph%2Fcallback&client_id=xxxxxx-xxx-xxx-xxx-xxxx&scope=https%3A%2F%2Fgraph.microsoft.com%2Femail%20https%3A%2F%2Fgraph.microsoft.com%2Fprofile%20https%3A%2F%2Fgraph.microsoft.com%2FUser.Read%20https%3A%2F%2Fgraph.microsoft.com%2FUser.ReadBasic.All%20https%3A%2F%2Fgraph.microsoft.com%2FGroup.Read.All
How can I require basic permissions for all users but have admins request additional permissions later on in the application?
Some resources I've already reviewed to no avail:
http://www.mikepackdev.com/blog_posts/2-Dynamically-Requesting-Facebook-Permissions-with-OmniAuth
Switching between web and touch interfaces on Facebook login using Omniauth and Rails 3
https://github.com/zquestz/omniauth-google-oauth2/issues/143
https://azure.microsoft.com/en-us/documentation/articles/active-directory-protocols-oauth-code/
