Modify permissions UI leads to admin consent when a user consentable scope is selected by non-admin

[MIchaelMainer]

Expected behavior

Adding a new scope in the modify permissions UI only adds a single scope to the OAuth request. This appeared to be fixed with #165. I seem to be mistaken.

Actual behavior

We are now seeing many OAuth scopes being sent when only one is selected. This includes the default scopes which require admin consent. This shouldn't happen.

It almost seems like user consent is disabled as a new default. This includes demo tenants.

Steps to reproduce the behavior

1. Login to GE with a non-admin account.
2. Open the modify permissions UI.
3. Add a user consentable scope and select modify.
4. Get redirected to a request for admin consent.

HTTP traffic capture

GET /common/oauth2/v2.0/authorize?nonce=graph_explorer&prompt=select_account&client_id=de8bc8b5-d9f9-48b1-a8ad-b748da725064&response_type=token&redirect_uri=https%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fgraph%2Fgraph-explorer&state=%7B%22client_id%22%3A%22de8bc8b5-d9f9-48b1-a8ad-b748da725064%22%2C%22network%22%3A%22msft%22%2C%22display%22%3A%22page%22%2C%22callback%22%3A%22_hellojs_4eh1jgbe%22%2C%22state%22%3A%22%22%2C%22redirect_uri%22%3A%22https%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fgraph%2Fgraph-explorer%22%7D&scope=Calendars.Read%20Calendars.ReadWrite%20Contacts.ReadWrite%20DeviceManagementApps.Read.All%20DeviceManagementApps.ReadWrite.All%20DeviceManagementConfiguration.Read.All%20DeviceManagementConfiguration.ReadWrite.All%20DeviceManagementManagedDevices.PrivilegedOperations.All%20DeviceManagementManagedDevices.Read.All%20DeviceManagementManagedDevices.ReadWrite.All%20DeviceManagementRBAC.Read.All%20DeviceManagementRBAC.ReadWrite.All%20DeviceManagementServiceConfig.Read.All%20DeviceManagementServiceConfig.ReadWrite.All%20Directory.AccessAsUser.All%20Directory.ReadWrite.All%20Files.ReadWrite.All%20Group.ReadWrite.All%20IdentityRiskEvent.Read.All%20Mail.ReadWrite%20MailboxSettings.ReadWrite%20Notes.ReadWrite.All%20Notifications.ReadWrite.CreatedByApp%20openid%20People.Read%20Reports.Read.All%20Sites.ReadWrite.All%20Tasks.ReadWrite%20User.ReadBasic.All%20User.ReadWrite%20User.ReadWrite.All

[MIchaelMainer]

We suspect that there was a v2 auth API change at the end of September that caused this mismatch between expected and actual. Even if the client correctly does incremental consent, we are seeing strange token behavior where the token comes back with just the incremented scope, not all the scopes. This is true for some accounts.