I'm developing a multi-tenant application, and authenticating against Azure AD with Open ID Connect using OWIN.
I registered my application in our AD tenant, and then setup a second tenant to represent a client for testing. I've got an admin user (role: Global Admin) and a standard user (role: User).
This all worked great at first, when my application was requesting only the following permission to other applications:
Delegated Permission: Sign in and read user profile
However, I need to read group information from the directory, so I added the following:
Application Permission: Read directory Data
I logged in with the admin user to grant permission. When prompted for consent, I noted the following statement:
"If you agree, this app will have access to the specified resources for all users in your organization. No one else will be prompted."
This sounds to me like the application now has consent, so future users, regardless of their role, should not be bothered. But when I login with my user with a user role, I get the following:
AADSTS90093: This operation can only be performed by an administrator.
Can anyone shed some light on this situation?