4 ways to fix error AADSTS65001 (The user or administrator has not consented to use the application)

Azure AD Login error

Fixing issues with Azure AD authentication for Enterprise applications can be tricky. This article contains multiple different fixes to an issue, where granting admin consent has somehow failed. Not all of the different solutions will work for all situations, though! That’s why I included a couple of different options to try… 🙂

Why do you even get issues with Admin Consent (like AADSTS65001)?

You’re trying to add or use an app, that requires such permissions from your tenant, that can only be granted by an administrator. Typically this app has to be added by a global administrator. If it’s an enterprise application, it could also be in an invalid state after someone tried adding the app without sufficient permissions.

Our investigation was focused on a mobile app, that’s deployed as an enterprise app. Most of the things should apply for web-based apps or console programs or whatever else you’re deploying, too.

The whole error might look something like this:

Or you get something like this:

Please note: if you have an issue, where only admin users are able to log in, and everyone else gets an error, please jump directly to solution 2.

Solutions

Okay, there’s a bunch of solutions, starting from easy and progressing to more difficult and exotic ones.

Solution 1: Get help from an admin

First of all, maybe it’s true. Simple, but worth trying first. Maybe an admin really hasn’t consented to the permissions. Just get someone with global administrator permissions to try the app, and see what happens.

If it doesn’t work for him/her either, check out the next solution.

Solution 2: Make sure your Azure AD settings are ok

There are a couple of properties under Azure AD Application > Manage > User settings that affect how the app is registered. Someone in your organization may have turned app registration off altogether, or limited the options severely. You could check these settings out – they should look something like this:

Azure AD Application settings

Azure AD Application settings – this is roughly, what it should look like! These affect all “enterprise applications” and normal app registrations using ADAL to log in.

Note: If you absolutely need to have the ability to register apps turned off (for example, to comply with GDPR or similar regulation), I have another article in the works on possible workarounds of Azure AD app registration. Check back a bit later!

Solution 3: Remove the app, and be sure to ask a global admin to log in once

If the settings above where ok, check this tip out. This solution itself only applies to Enterprise Applications, since the method for registering a “normal app” is different from enterprise ones. Enterprise apps are registered to your Azure AD instance automatically based on their application ID. More or less it should jsut provision a service principal based on the app id, based on the manifest that stays wherever the enterprise app was originally registered in. From an user’s point of view, this should happen automatically. It always doesn’t.

Typically, someone might try to add an enterprise application without having permissions to do so. Apparently this causes your Azure AD instance to get quite confused, and the app won’t work. Not for admins (who could grant the consent), but also especially not for you.

You can fix this quite easily, though. Global administrator just needs to browse to Azure AD (remember to choose the right one, though), remove the app (see screenshot below), and then log in to the app. With some apps it’s pivotal, that the first person to log in is a global administrator, to make it possible for them to give admin permission in the first place (duh).

Azure AD - how to remove an enterprise application (registration) from your AAD instance

Azure AD – how to remove an enterprise application (registration) from your AAD instance

Solution 4: Craft a specific log in & admin consent url for a global admin to test

If you don’t have admin permissions, and maybe none of the global administrators can user any apps or something, maybe you could try this next. You can just send them a url they can use to grant admin consent to an enterprise application. Easy? Maybe.

https://login.microsoftonline.com/<tenant_name_in_onmicrosoft.com-form>/oauth2/authorize?client_id=<appId>&response_type=code&redirect_uri=http://<appUri>&nonce=1234&resource=https://graph.windows.net&prompt=admin_consent

This url should prompt the user, who should have global admin permissions, to grant admin consent on for the app.

Did none of these solutions work?

I’ve been resolving a lot of different authentication issues with Azure AD lately, and maybe I just forgot to post some solution. Let me know in the comments, and let’s see if we find a solution together!

This blog has been verified by Rise: R7964aacca2a6f0375be5feaa377f539e

The following two tabs change content below.
Antti Koskela is a proud digital native nomadic millenial full stack developer (is that enough funny buzzwords? That's definitely enough funny buzzwords!), who works as a Solutions Architect for Valo Intranet, the product that will make you fall in love with your intranet. Working with the global partner network, he's responsible for the success of Valo deployments happening all around the world. He's been a developer from 2004 (starting with PHP and Java), and he's been bending and twisting SharePoint into different shapes since MOSS. Nowadays he's not only working on SharePoint, but also on .NET projects, Azure, Office 365 and a lot of other stuff.

Leave a Reply

Your email address will not be published. Required fields are marked *