Azure AD Login error

4 ways to fix error AADSTS65001 (The user or administrator has not consented to use the application)

This post was most recently updated on April 21st, 2019.

Reading Time: 6 minutes.

Have you run into error AADSTS65001 with your application, that tries to authenticate against Azure AD? I sure have – seems to happen at least every other time when I’m building something that uses AAD to authenticate against SharePoint.

Fixing issues with Azure AD authentication for Enterprise applications can be tricky. But a lot of the time, this is just another Azure Active Directory error that we can fix easily. This article contains multiple different solutions to the issue, where granting admin consent has somehow failed.

Not all of the different solutions will work for all situations, though! That’s why I included a couple of different options to try. Changes are, one of them works for you!

What’s the reason for issues with Admin Consent (like AADSTS65001)?

Imagine this: You’re trying to add or use an app, but the requires such permissions from your tenant, that only an administrator can grant. Typically to add this kind of an app, you’ll have to be a global administrator.

This is when admin consent is required for the usage of the app – and if that hasn’t been granted, you’ll get errors about administrators not having consented to the use of the app you’re accessing. This way, you also can’t add the app yourself.

Additionally, just to make the investigation just a bit more complicated, if it’s an enterprise application, it could also be in an invalid state after someone tried adding the app without sufficient permissions. This could stop you from adding the app, even if you do have sufficient permissions!

Fun, right? But no worries, as there’s always a workaround or two available!

I’ve been investigating a lot of these issues in relation to organizations using a mobile app, which the customer has been deploying as an enterprise application. Most of the things should apply for web-based apps or console programs or whatever else you’re deploying, too – especially if they’re enterprise applications in Azure AD!

The whole error might look something like this:

Failed to authenticate #1: 
Error: Request authority: resource: clientid:[appId]  ErrorCode:invalid_grant ErrorDescription:AADSTS65001: The user or administrator has not consented to use the application with [appid]. 
Send an interactive authorization request for this user and resource.
Trace ID: 5b92cb30-6321-4e2a-99e3-b4b2b6a46c94
Correlation ID: fc8a84ec-1578-4290-b49b-42322b791a3a
Timestamp: 2016-11-17 11:49:30Z

Or you get something like this:

 "error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID [appId] "

How to fix these issues?


Okay, there’s a bunch of solutions, which I’m going to outline here. I’ll be starting from the easy ones and progressing to more difficult and exotic ones.

Please note: if you have an issue, where only admin users are able to log in (without any dialogs or warnings about granting permissions), and everyone else gets an error, please jump directly to solution 2.

Solution 1: Get help from an admin

First of all, maybe it’s true. Simple, but worth trying first. Maybe an admin really hasn’t consented to the permissions. Just get someone with global administrator permissions to try the app, and see what happens.

If it doesn’t work for him/her either, check out the next solution.

Solution 2: Make sure your Azure AD settings allow adding such apps

There are a couple of properties under Azure AD Application > Manage > User settings that affect how the app is registered. Someone in your organization may have turned app registration off altogether, or limited the options severely. You could check these settings out – they should look something like this:

Older Portal versions (the UI updates are rolled out in batches) will look something like this:

Azure AD Application settings - these selections should enable adding new apps to your organization!
Azure AD Application settings – these selections should enable adding new apps to your organization! However, they might not be what your organization can enable, so please evaluate.

The latest Portal version (as of 7.3.2019) has split the settings to 2 different areas. You’ll have the settings concerning app registrations “local” to just this directory under Directory > Manage > User settings. The settings only affecting Enterprise Applications are accessible by either clicking a link on the aforementioned page, or by navigating to Directory > Enterprise applications > User settings.

See the 2 screenshots below – first, you can edit the “user settings” from the AAD.


And when you select to access the end-user settings from there, you’ll be able to change the settings for Enterprise Applications in particular.


Note: If you absolutely need to have the ability to register apps turned off (for example, to comply with GDPR or similar regulation), I have another article in the works on possible workarounds of Azure AD app registration.

Ping me or send me a nudge via comments or to remind me to finish that article!

Solution 3: Remove the app, and be sure to ask a global admin to log in once

If the settings above where ok, check this tip out. This solution itself only applies to Enterprise Applications, since the method for registering a “normal app” is different from enterprise ones. Enterprise apps are registered to your Azure AD instance automatically based on their application ID. More or less it should just provision a service principal based on the app id, which in turn is specified in the manifest that stays wherever the enterprise app was originally registered in. From an user’s point of view, this should happen automatically. It always doesn’t.

Typically, someone might try to add an enterprise application without having permissions to do so. Apparently this causes your Azure AD instance to get quite confused, and the app won’t work. Not for admins (who could grant the consent), but also especially not for you.

That means, that this particular instance of the app will not work. Ever.

You can fix this quite easily, though. Global administrator just needs to browse to Azure AD (remember to choose the right one, though), remove the app (see screenshot below), and then log in to the app. With some apps it’s pivotal, that the first person to log in is a global administrator, to make it possible for them to give admin permission in the first place (duh).

Azure AD - how to remove an enterprise application (registration) from your AAD instance
Azure AD – how to remove an enterprise application (registration) from your AAD instance

Solution 4: Craft a specific log in & admin consent url for a global admin to test

If you don’t have admin permissions, and maybe none of the global administrators can user any apps or something, maybe you could try this next. You can just send them a url they can use to grant admin consent to an enterprise application. Easy? Maybe.[]/oauth2/authorize?client_id=[appId]&response_type=code&redirect_uri=http://&nonce=1234&resource=

This url should prompt the user, who should have global admin permissions, to grant admin consent on for the app.

Did none of these solutions work?

I’ve been resolving a lot of different authentication issues with Azure AD lately. Maybe something new has come up after writing this article – let me know in the comments!


Leave a Reply

11 Comment threads
16 Thread replies
Most reacted comment
Hottest comment thread
12 Comment authors
Danijel VilenicaAnonMd Abid HusainPriyaIgnacio Recent comment authors
newest oldest most voted
Notify of

I am building a console application which needs to call a Web API via AAP Auth. Can I acquire token without UserCredential and only by getting permission for the application to access the API ?


Hi Antti,

I am facing the exact issue when I tried to use the refresh token to re-generate the access token through Azure API.

Below is the more details,

Once I received the code from the azure, I am making a service call to get the oAuth token with a parameter and value like resource:
I could receive an access token and refresh token successfully and when I tried to regenerate the access token using refresh token I am getting the below error.
“error”: “invalid_grant”,
“error_description”: “AADSTS65001: The user or administrator has not consented to use the application with ID ‘my-app-id’ named ‘my-app-name’. Send an interactive authorization request for this user and resource.\r\nTrace ID: bb829d3f-13c4-4bba-bf26-293e9d7d9800\r\nCorrelation ID: 0f6ab614-ab4f-4b7d-b024-3e3911ac388e\r\nTimestamp: 2019-01-12 03:53:46Z”,
“error_codes”: [
“timestamp”: “2019-01-12 03:53:46Z”,
“trace_id”: “bb829d3f-13c4-4bba-bf26-293e9d7d9800”,
“correlation_id”: “0f6ab614-ab4f-4b7d-b024-3e3911ac388e”,
“suberror”: “consent_required”

Royce Toyne
Royce Toyne

I read your post very helpful to me because i am a Engineer.

Akash Kotecha
Akash Kotecha

Hi Antti,

I am facing the same issue. I am trying to embed PowerBI report in ASP.NET MVC application. I have created an application in Azure and also tried granting the admin consent using the URL and through Azure portal as well but it did not work.

Could you please help me resolve the issue or let me know a suitable time to connect?

Farid Shahidi
Farid Shahidi

I am facing an error like this:

AADSTS90008: The user or administrator has not consented to use the application with ID ‘8a170817-3bab-4c5a-be2b-f26d4bf444fd’. This happened because application is misconfigured: it must require access to Windows Azure Active Directory by specifying at least ‘Sign in and read user profile’ permission.

I appreciate if you can help me figure it out.

pallavi kulkarni

Hello Antti,
I am trying to execute for acquiring AD access_token in python using ADAL library and facing the following issue:

adal.adal_error.AdalError: Get Token request returned http error: 400 and server
response: {“error”:”invalid_grant”,”error_description”:”AADSTS65001: The user o
r administrator has not consented to use the application with ID ‘d6b3545a-16e2-
4652-8793-b0762d5d92cd’ named ‘AMDAS_Onboard_Tool’. Send an interactive authoriz
ation request for this user and resource.\r\nTrace ID: 3f304f8f-14fa-4d28-be4a-b
03e6848d700\r\nCorrelation ID: a101e9ba-92a7-4824-8d39-dc9a31369119\r\nTimestamp
: 2019-05-09 11:35:05Z”,”error_codes”:[65001],”timestamp”:”2019-05-09 11:35:05Z”

Please help.


Hi, we are trying to refresh a power bi dataset. We can’t get the token by python or powershell, we are receiving the following message:
AdalError: Get Token request returned http error: 400 and server response: {“error”:”invalid_resource”,”error_description”:”AADSTS500011: The resource principal named was not found in the tenant named [companyauthorityname] This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: 239d7e33-cb3b-45c4-9539-5e9eb80b2900\r\nCorrelation ID: f1948b22-4059-4885-9471-1bc1ab9b9fe2\r\nTimestamp: 2019-09-02 16:10:35Z”,”error_codes”:[500011],”timestamp”:”2019-09-02 16:10:35Z”,”trace_id”:”239d7e33-cb3b-45c4-9539-5e9eb80b2900″,”correlation_id”:”f1948b22-4059-4885-9471-1bc1ab9b9fe2″,”error_uri”:”″}

We have configure the API permission, we have grant permission by our own user with the url to grant. We are not administrators in the tenant.
Is there a way to solve this without administrator permission?


Hi Antti,

I cannot grant admin consent, Clicks on admin consent under enterprise application -> prompts for credential details-> runs into Exception: Correlation failed

Md Abid Husain
Md Abid Husain

Hi Antti,

I am using a free trial azure subscription for personal use and trying to get access token after authentication with azure active directory.
I am able to get the authorization code and I am using that code in Postman with other fields.
I am getting this error : “AADSTS65001: The user or administrator has not consented to use the application with ID ….
I have done my app registrations correctly and also granted admin consent in azure.
Please help me here.. I am stuck with this for the last 2-3 days.
If you want I can provide the azure subscription details.


What would be done in the case of a multi-tenant application? You have two AADs. Do you run suggestion #4 for both tenant/app-id? I’ve had an admin do this, plus clicking consent all over, but I’m still unable to authenticate. It’s pretty frustrating!

Danijel Vilenica
Danijel Vilenica

Hi Antti,

I am getting the same error : “AADSTS65001: The user or administrator has not consented to use the application with ID ….

We have 2 app registrations on azure, lets say app A and app B. I trying to get some data from A to B.

In azure portal I already configured permission so the B app can have access to app A, and it’s status is granted.

I’m using msal-angular library to authenticate the user and achieve that. Here is my configuration:

export const protectedResourceMap:[string, string[]][]=[ [‘’, [‘’]], [‘endpoint of app A’,[‘scope from the app A’]] ];

clientID: ‘ClientId Of App B’,
authority: “”,
validateAuthority: true,
redirectUri: “http://localhost:4200/”,
cacheLocation : “localStorage”,
storeAuthStateInCookie: isIE, // set to true for IE 11
postLogoutRedirectUri: “http://localhost:4200/”,
navigateToLoginRequestUrl: true,
popUp: !isIE,
consentScopes: [ “”, “openid”, “profile”, “scope from the app A”],
unprotectedResources: [“”],
protectedResourceMap: protectedResourceMap,
logger: loggerCallback,
correlationId: ‘1234’,
piiLoggingEnabled: true

So the first thing is to login in the app B, authentication is successful and the token is received and stored in the local storage. The second thing is making a http request to app A to get some data. When the http is called the error pops up.

Help please!