How to access Graph API from Web API in SPA application

Permissions are configurable inside your App configuration page in Azure,You select what you wish to let the App access.

As for confirmation you as admin have a choice. Either the user accepts to share data with your app or admin confirm for all under a tenant.

That's the correct way. My frontend and backend work that way.

This should get you started

How to use Microsoft Graph and Office 365 API in a Service or in a Windows App/UWP without a graphical interface

https://blogs.msdn.microsoft.com/laurelle/2016/02/12/how-to-use-microsoft-graph-and-office-365-api-in-a-service-or-in-a-windows-appuwp-without-a-graphical-interface/

Please see the sample: https://github.com/Azure-Samples/active-directory-dotnet-graphapi-web.There are some code to access Graph API and get user profile in the sample:

ClientCredential credential = new ClientCredential(clientId, appKey);AuthenticationResult result = authContext.AcquireTokenSilent(graphResourceId, credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));// Call the Graph API manually and retrieve the user's profile.string requestUrl = String.Format(CultureInfo.InvariantCulture, graphUserUrl, HttpUtility.UrlEncode(tenantId));HttpClient client = new HttpClient();HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, requestUrl);request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);HttpResponseMessage response = await client.SendAsync(request);// Return the user's profile in the view.if (response.IsSuccessStatusCode) {    string responseString = await response.Content.ReadAsStringAsync();    profile = JsonConvert.DeserializeObject<UserProfile>(responseString);}

You could see more information from here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-code-samples/#calling-azure-ad-graph-api