My scenario is this.
I need to access user and group data, and create a unified group via my existing SharePoint Provider hosted app. As most of the code runs inside an Azure webjob, I've registered a separate Application against Azure Ad to achieve this.
Now, using the .Net Unified API's I can get to the stage where I have a GraphService Object, but performing any operations results in a Forbidden. Drilling down further shows an Missing UPN Claim error.
Authentication Context Authority = https://login.windows.net/.onmicrosoft.com Service Root = https://graph.microsoft.com/beta/
Access to the unified APIs (including Group APIs) is ONLY supported for now using the delegated (app+user) flows. We are working on providing app only (client_credential flow) support, and can update this thread when this is available.
HTHs,