Azure AD and Graph

Question

I have an ASP.NET MVC5 Web app using Azure AD, getting a token using Open ID, and trying to use that token to access the Graph. When a user signs in, they get the following message:

From within Azure, I cannot grant the application permissions, there is no way to do that

The app is registered with apps.dev.microsoft.com.

I'm just trying to read the group memberships of the user. How do I assign all permissions to every user in Azure Ad? My account works when I sign in. Others can sign in but cannot get the first prompt. Others sign in and get redirected to sign in with another account when they try to access a page that contains this code:

   var baseServiceUri = new Uri(AuthConstants.ResourceUrl);
        var activeDirectoryClient = new ActiveDirectoryClient(new Uri(baseServiceUri, AuthConstants.TenantId), async () => await AcquireTokenAsync());
        return activeDirectoryClient;

Answer 1

Applications registered with apps.dev.microsoft.com are known as V2 applications. You can learn more about V2 applications here.

As compared to V1 applications, you cannot just add prompt=admin_consent to trigger the admin consent flow. Instead you need to hit a special Admin Consent Endpoint.

See here: Requesting consent for an entire tenant

and here: Using the admin consent endpoint

In summary, you need to send your normal login request to this endpoint https://login.microsoftonline.com/{tenant}/adminconsent and include the normal query strings you would normally pass. Of course the user going through this flow must be a tenant administrator for the users who are struggling to sign in.