I downloaded the Azure sample to 'Build a multi-tenant daemon with the v2.0 endpoint' from here: https://github.com/Azure-Samples/active-directory-dotnet-daemon-v2
I registered the application in apps.dev.microsoft.com, set the Application Permission scope to User.Read.All, and replaced the Application ID and generated password secret in Startup.Auth.cs in the code.
The sample code runs fine, except that the admin consent grant does not seem to work.
The code in AccountController.RequestPermissions() successfully builds and sends an admin consent request. The consent page displays the correct scope: "Read all users' full profiles". After providing consent, I am redirected to https://localhost:44316/Account/GrantPermissions?admin_consent=True&tenant=my-tenant-id, showing that the grant was successful. I also see the app show up in my Enterprise Applications on the Azure portal after that.
However the call to https://graph.microsoft.com/v1.0/users in UsersController.Index still results in a '403 Forbidden'. The error detail in Fiddler shows:
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation."
The JWT Bearer token in that request holds my correct tenant-id and a single role: "User.Read.All".
My account is global administrator of this tenant, and it can query users on graph.microsoft.io.
This response dating June 30 suggests it is not yet possible to use admin_consent with App Model v2. The sample I downloaded however dates from late September and shows exactly this scenario, so I was hoping it is meanwhile supported.
Is admin_consent already supported in the App Model v2? If so, could anyone help me find out what is going wrong? Thanks.
