Any app that authenticates with Microsoft OpenID requires certain AAD functions to properly authenticate.
These can be found by going to the Azure Active Directory -> App Registrations -> (app name) -> Required Permissions -> Windows Azure Active Directory in the Azure Portal.
The permissions are:
access the directory as the signed in user
read all users' basic profiles
sign in and read user profile
These are all delegated permissions that the interface says do not require Admin authority. Whether or not Admin authority is actually required depends on other AAD settings: Azure Active Directory -> User Settings -> App Registrations.
The control surfaces for Azure seem to change frequently, and these descriptions may become invalid quickly.