I have a Desktop application using ADAL to authenticate to a multi-tenanted Azure AD v1 application.
Version 1 of my application only required delegated permissions that didn't require Admin consent:
- Microsoft Graph - sign in and read user profile
- Skype for Business online - Create skype meetings
Version 2 now requires an additional permission, which requires Admin consent:
- Microsoft Graph - Access directory as the signed in user
I've updated the Azure AD app with this permission, and granted admin consent through the Azure AD portal using an admin user homed in the same tenant as the application.
Signing in as a non-admin user who had already consented to the Version 1 permission set (also homed in the same tenant as the application), I don't see the new permission in the "scp" property of the access token I receive - so I'm assuming this means I haven't been given the new permission.
I then try and re-consent as the user, using "prompt=consent", but receive
AADSTS90094: The grant requires admin permission
Implying that admin consent has not been set - although the portal is reporting that it has been set.
From all that i've read, it looks like this should work just fine, so I'm struggling to see what's going wrong. How can I get this working?
