I've got an ASP.NET application which is using the OWIN middleware to authenticate against my Azure Active Directory instance.
In the Azure portal, I've created the app registration for my ASP.NET app, and authentication works great.
Users have been logging in, I get their claims, everything's good.
Now, I'm adding a new feature to my application, where after login, I want to query the Graph API to get some more information about the user (group names, e-mail address, whatever). Now, accessing the graph API to get this information requires new permissions, so I've gone into the Azure portal, and checked off the appropriate delegated permissions for my ASP.NET application.
For users which never logged into the application, everything works fine. However, for users which had previously logged into the application, they are not prompted for consent to the newly-required permissions, so my calls to the graph API are failing.
How can I make it so that users are asked for consent when my app starts requiring new permissions?