Following the code outlined here:

https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console/blob/master/GraphConsoleAppV3/Program.cs#L810

but using a Service Principal to authenticate one will get a Insufficient Privileges error when trying to create the application on

client.Applications.AddApplicationAsync(appObject).Wait();

with token exchange like the following:

var context = new AuthenticationContext($"https://login.microsoftonline.com/{tenantId}");
var token = context.AcquireToken("https://graph.windows.net", new ClientCredential(clientId, secret));    
var client = new ActiveDirectoryClient(new Uri($"https://graph.windows.net/{tenantId}"),()=>Task.FromResult(token.AccessToken));

its required that the application has been given the Administrator role that currently seem only possible to add using the powershell tools for azure AD: https://msdn.microsoft.com/library/azure/jj151815.aspx#bkmk_installmodule

and using connect-msolservice and using your Azure Ad Administrator user login when prompted.

1. connect-msolservice
2. Get-MsolServicePrincipal –AppPrincipalId {appId}
3. Add-MsolRoleMember -RoleMemberType ServicePrincipal -RoleName 'Company Administrator' -RoleMemberObjectId {objectID}

where the objectID is the output of the 2 command