I've got an ASP.NET application which is using the OWIN middleware to authenticate against my Azure Active Directory instance.

In the Azure portal, I've created the app registration for my ASP.NET app, and authentication works great.

Users have been logging in, I get their claims, everything's good.

Now, I'm adding a new feature to my application, where after login, I want to query the Graph API to get some more information about the user (group names, e-mail address, whatever). Now, accessing the graph API to get this information requires new permissions, so I've gone into the Azure portal, and checked off the appropriate delegated permissions for my ASP.NET application.

For users which never logged into the application, everything works fine. However, for users which had previously logged into the application, they are not prompted for consent to the newly-required permissions, so my calls to the graph API are failing.

How can I make it so that users are asked for consent when my app starts requiring new permissions?

After we changed the permission from app of developer's tenant, the users who already give the consent need to update the consent to get the updated permission.

To start a consent grant for those users who have already granted before we need to specify the prompt parameter with value consent( refer here about more parameters using for OAuth 2.0 code grant flow).

And if you were using the Azure AD v2.0 endpoint, we need to update the new scopes in the request instead of config it at the portal. (Refer here about the v2.0 endpoint)