Make Azure Ad Application 'permissions to other applications' optional not mandatory
From what I understand, adding permissions in the 'permissions to other applications' section of an Azure AD Application means that any tenant administrator trying to grant access to that application using the Admin consent flow must have all the services requested. E.g. if requesting Office 365 'Read users email' permission and CRM Online 'Access CRM Online as organization users' permission the requesting tenant must have both of those Microsoft Services linked to their Azure AD.
If you don't have access to all requested services you receive the following error:
'AADSTS65005: The application needs access to a service that your organization [Organization name here] has not subscribed to. Please contact your Administrator to review the configuration of your service subscriptions.
I have attached a diagram playing out a simple example. This will not work for ISV's who would like to provide optional integrations as they will need to create an Azure AD application (and associated ASP.NET application instance) per potential combination of Microsoft services a tenant could have, just to work around this issue that permissions are mandatory.
The v2 endpoint for Azure AD supports incremental/dynamic consent, by which an app requests the permissions it needs at run time, dynamically. This will allow your app to get tokens for basic scenarios first (e.g. sign in and get profile) and only get tokens for other, optional, scenarios (e.g. read and send mail as the user) later.
Be sure to review the current limitations on which services the v2 endpoint will grant tokens for, as this does work for all scenarios or all Microsoft services yet: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-limitations#restrictions-on-services-and-apis
We're trying to provide integration with Skype for Business as an ISV, and we've hit the same issue where the tenant may not necessarily have Skype for Business. It would be nice with we could assign optional permissions to other applications in #AzureAD.