#SharePointProblems | Koskila.net
Solutions are worthless unless shared! Antti K. Koskela's Personal Professional Blog
>

4 ways to fix error AADSTS65001 (The user or administrator has not consented to use the application)

koskila
Reading Time 8 min
Word Count 1295 words
Comments 59 comments
Rating 4.9 (8 votes)
#adal #azure #azure-ad #graph-api
View
Share on X Share on LinkedIn Share on Facebook Share on Bluesky Share via Email

Have you run into an AADSTS65001 error with your application, that tries to authenticate against Azure AD? I sure have - seems to happen at least every other time when I'm building something that uses AAD to authenticate against SharePoint.

Fixing issues with Azure AD authentication for Enterprise applications can be tricky. But a lot of the time, this is just another Azure Active Directory error that we can fix easily. This article contains multiple solutions for this issue, where granting admin consent has somehow failed.

Not all of the different solutions will work for all situations, though! That's why I included a couple of different options to try. Changes are, one of them works for you!

Note: If you came here looking for a solution to an error with code AADSTS50196, check out this post instead: How to fix error AADSTS50196 on Microsoft web properties?

Background

So, what's the reason for running into issues with Admin Consent (like when you get the dreaded AADSTS65001 error)?

Imagine this:
You're trying to add or use an app, but it requires such permissions from your tenant, that only an administrator can grant. Typically to add this kind of an app, you'll have to be a global administrator.

This is when admin consent is required for the usage of the app - and if that hasn't been granted, you'll get errors about administrators not having consented to the use of the app you're accessing. This way, you also can't add the app yourself.

Additionally, just to make the investigation just a bit more complicated, if it's an enterprise application, it could also be in an invalid state after someone tried adding the app without sufficient permissions. This could stop you from adding the app, even if you do have sufficient permissions!

Fun, right? But no worries, as there's always a workaround or two available!

I've been investigating a lot of these issues in relation to organizations using a mobile app, which the customer has been deploying as an enterprise application. Most of the things should apply for web-based apps or console programs or whatever else you're deploying, too - especially if they're enterprise applications in Azure AD!

The whole error might look something like this:

Failed to authenticate #1: 
Error: Request authority:https://login.windows.net/common resource:https://tenant.sharepoint.com clientid:[appId]  ErrorCode:invalid_grant ErrorDescription:AADSTS65001: The user or administrator has not consented to use the application with [appid]. 
Send an interactive authorization request for this user and resource.

Trace ID: 5b92cb30-6321-4e2a-99e3-b4b2b6a46c94
Correlation ID: fc8a84ec-1578-4290-b49b-42322b791a3a
Timestamp: 2020-11-17 11:49:30Z

Or you get something like this:

{  
 "error":"invalid_grant",  
 "error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID [appId]"
}

How to fix these issues?

Solutions

Okay, there are a bunch of solutions, which I'm going to outline here. I'll be starting from the easy ones and progressing into the more difficult and exotic ones.

*Please note: if you have an issue, where only admin users are able to log in (without any dialogs or warnings about granting permissions), and everyone else gets an error, please jump directly to solution 2.

Time needed: 20 minutes.

How to fix error AADSTS65001?

  1. Get help from an admin

    First of all, maybe it's true. Simple, but worth trying first. Maybe an admin really hasn't consented to the permissions. Just get someone with global administrator permissions to try the app, and see what happens.

    If it doesn't work for him/her either, check out the next solution.

  2. Make sure that your Azure AD settings allow adding such apps

    There are a couple of properties under Azure AD Application > Manage > User settings that affect how the app is registered. Someone in your organization may have turned app registration off altogether, or limited the options severely.

    The latest Portal version has split the settings into 2 different areas. You'll have the settings concerning app registrations "local" to just this directory under Directory > Manage > User settings. The settings only affecting Enterprise Applications are accessible by either clicking a link on the aforementioned page or by navigating to Directory > Enterprise applications > User settings.

    See the 2 screenshots below - first, you can edit the "user settings" from the AAD:

    "User Settings" view for your Azure Active Directory instance in general. Accessible via Directory > Manage > User settings.
    "User Settings" view for your Azure Active Directory instance in general. Accessible via Directory > Manage > User settings.

    And when you select to access the end-user settings from there, you'll be able to change the settings for Enterprise Applications in particular:

    The "User Settings" view for your Azure Active Directory instance's Enterprise Applications. It's accessible through Directory > Enterprise applications > User settings.

    Note: If you absolutely need to have the ability to register apps turned off (for example, to comply with GDPR or similar regulations), I have another article in the works on possible workarounds of Azure AD app registration.

    Ping me or send me a nudge via the comments section or through https://www.koskila.net/contact/ to remind me to finish that article!

  3. Remove the app, and be sure to ask a global admin to log in once

    If the settings above were okay, check this tip out.

    This solution itself only applies to Enterprise Applications, since the method for registering a "normal app" is different from enterprise ones. Enterprise apps are registered to your Azure AD instance automatically based on their application ID. It should, more or less, just provision a service principal based on the app id, which in turn is specified in the manifest that stays wherever the enterprise app was originally registered in. From a user's point of view, this should happen automatically. It always doesn't.

    Typically, someone might try to add an enterprise application without having permission to do so. Apparently, this causes your Azure AD instance to get quite confused, and the app won't work. Not for admins (who could grant the consent), but also especially not for you.

    That means, that this particular instance of the app will not work. Ever.
    You can fix this quite easily, though. The global administrator just needs to browse to Azure AD (remember to choose the right one, though), remove the app (see screenshot below), and then log in to the app. With some apps it's pivotal, that the first person to log in is a global administrator, to make it possible for them to give admin permission in the first place (duh).

    Azure AD - how to remove an enterprise application (registration) from your AAD instance
    Azure AD - how to remove an enterprise application (registration) from your AAD instance

  4. Craft a specific log in & admin consent URL for a global admin to test

    If you don't have admin permissions, and maybe none of the global administrators can use any apps or something, maybe you could try this next. You can just send them a URL they can use to grant admin consent to an enterprise application.

    Easy? Maybe. Are they going to click a suspicious link like this without questioning it even for a second? In my experience, yes. But also, be prepared to explain what you're trying to do :)
    https://login.microsoftonline.com/**[tenant_name_in_onmicrosoft.com-form]**/oauth2/authorize?client_id=**[appId]**&response_type=code&redirect_uri=http://&nonce=1234&resource=https://graph.windows.net&prompt=admin_consent

    This URL should prompt the user (who should have global admin permissions), to grant admin consent for the app.

  5. Are you using Connect-PnPOnline when getting this error?

    This is a pretty new one! Instead of doing whatever you're doing to connect, try this:

    Connect-PnPOnline -PnPManagementShell -Url

    Worked for me!

If that didn't help, you could also try enabling Legacy Auth Protocols (ask your admin for permission first!) - this article will tell you how:

https://www.koskila.net/how-to-fix-the-web-site-does-not-support-sharepoint-online-credentials-the-response-status-code-is-unauthorized-error/#Solution

Got this tip from these 2 GitHub issues - will update when there's more information!:

Did none of these solutions work?

I've been resolving a lot of different authentication issues with Azure AD lately. Maybe something new has come up after writing this article - let me know in the comments!

Share on X Share on LinkedIn Share on Facebook Share on Bluesky Share via Email

Related Posts

How to fix "AADSTS90008: The user or administrator has not consented to use the application"?

6y agoby koskila
#azure#azure-ad

Fixing an "AADSTS70005" issue by enabling the implicit authentication flow for your Azure AD app

7y agoby koskila
#adal#azure#azure-ad

Call to sites Graph API requires "owner" permissions for site collection regardless of app permissions

7y agoby koskila
#azure#azure-ad#graph-api

Comments

Interactive comments not implemented yet. Showing legacy comments migrated from WordPress.
Royce Toyne
2019-01-11 00:20:09)
I read your post very helpful to me because i am a Engineer.
Antti K. Koskela
2019-01-14 08:26:27
Happy to hear that, Royce!
Guru
2019-01-11 23:09:39)
Hi Antti, I am facing the exact issue when I tried to use the refresh token to re-generate the access token through Azure API. Below is the more details, Once I received the code from the azure, I am making a service call to get the oAuth token with a parameter and value like resource: https://management.azure.com I could receive an access token and refresh token successfully and when I tried to regenerate the access token using refresh token I am getting the below error. { "error": "invalid_grant", "error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID 'my-app-id' named 'my-app-name'. Send an interactive authorization request for this user and resource.\r\nTrace ID: bb829d3f-13c4-4bba-bf26-293e9d7d9800\r\nCorrelation ID: 0f6ab614-ab4f-4b7d-b024-3e3911ac388e\r\nTimestamp: 2019-01-12 03:53:46Z", "error_codes": [ 65001 ], "timestamp": "2019-01-12 03:53:46Z", "trace_id": "bb829d3f-13c4-4bba-bf26-293e9d7d9800", "correlation_id": "0f6ab614-ab4f-4b7d-b024-3e3911ac388e", "suberror": "consent_required" }
Antti K. Koskela
2019-02-07 23:01:20
Hi Guru! Sorry for the delay - I only found your comment from the spam folder now. My spam blocking might be a bit too aggressive... :) About your issue - really interesting, that you're only experiencing that while acquiring the refresh token! If you have already granted the permissions to the app, it should be good. This brings to my mind an issue we had with an app before - we were requesting application permissions (as one of the scopes in AAD) instead of delegated ones, and this caused us to not get a refresh token at all. Ever. If possible, you could try switching the scopes you're requesting from application permissions to delegated ones? Let me know if you're able to resolve the case! :)
CAS
2019-01-17 16:57:31)
Hi, I am building a console application which needs to call a Web API via AAP Auth. Can I acquire token without UserCredential and only by getting permission for the application to access the API ?
Antti K. Koskela
2019-01-19 09:37:23
Hi CAS, I'm going to give you the classic consultant response: it depends ;) Namely, it depends on the APIs and the libraries you're using. For a console application, that I'm guessing you'll be running without web login (as a background task or service?), you're definitely better off using just a client id and client secret. You can't access all APIs with these, though (for example reading O365 user mailboxes without admin grant will need to be done with user login) - so check out the docs of the libraries and the APIs to determine how you need to implement the authentication. Hope this helps!
Akash Kotecha
2019-02-19 09:49:21)
Hi Antti, I am facing the same issue. I am trying to embed PowerBI report in ASP.NET MVC application. I have created an application in Azure and also tried granting the admin consent using the URL and through Azure portal as well but it did not work. Could you please help me resolve the issue or let me know a suitable time to connect?
Antti K. Koskela
2019-02-19 11:20:25
Hi Akash! I don't have much experience from PowerBI unfortunately, but the first thing that comes to mind is if there's a mismatch between the requested scopes and the data that you're trying to access - can you post a list of all the permissions, delegated or otherwise, that you're requesting for your app?
Farid Shahidi
2019-03-06 17:50:09)
hi I am facing an error like this: AADSTS90008: The user or administrator has not consented to use the application with ID '8a170817-3bab-4c5a-be2b-f26d4bf444fd'. This happened because application is misconfigured: it must require access to Windows Azure Active Directory by specifying at least 'Sign in and read user profile' permission. I appreciate if you can help me figure it out.
Antti K. Koskela
2019-03-08 22:58:00
Hi Farid, Sounds like you're missing some of the permissions requests for your app, or you could be dealing with an issue in your configuration... I'll be posting an article about your particular error (AADSTS90008) in the coming days. Hopefully it'll be done on Monday, so check back then or subscribe for the updates by joining the mailing list! In any case, the article will be available at this address: How to fix AADSTS90008?
pallavi kulkarni
2019-05-09 09:07:26)
Hello Antti, I am trying to execute sample.py for acquiring AD access_token in python using ADAL library and facing the following issue: adal.adal_error.AdalError: Get Token request returned http error: 400 and server response: {"error":"invalid_grant","error_description":"AADSTS65001: The user o r administrator has not consented to use the application with ID 'd6b3545a-16e2- 4652-8793-b0762d5d92cd' named 'AMDAS_Onboard_Tool'. Send an interactive authoriz ation request for this user and resource.\r\nTrace ID: 3f304f8f-14fa-4d28-be4a-b 03e6848d700\r\nCorrelation ID: a101e9ba-92a7-4824-8d39-dc9a31369119\r\nTimestamp : 2019-05-09 11:35:05Z","error_codes":[65001],"timestamp":"2019-05-09 11:35:05Z" ,"trace_id":"3f304f8f-14fa-4d28-be4a-b03e6848d700","correlation_id":"a101e9ba-92 a7-4824-8d39-dc9a31369119","suberror":"consent_required"} Please help.
Antti K. Koskela
2019-05-12 03:27:37
Hi Pallavi! Which steps have you taken to resolve the issue so far? Are you a global administrator of the tenant you're authentication against?
Ignacio
2019-09-02 12:11:20)
Hi, we are trying to refresh a power bi dataset. We can't get the token by python or powershell, we are receiving the following message: AdalError: Get Token request returned http error: 400 and server response: {"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named https://login.windows.net/common/oauth2/token/ was not found in the tenant named [companyauthorityname].onmicrosoft.com. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: 239d7e33-cb3b-45c4-9539-5e9eb80b2900\r\nCorrelation ID: f1948b22-4059-4885-9471-1bc1ab9b9fe2\r\nTimestamp: 2019-09-02 16:10:35Z","error_codes":[500011],"timestamp":"2019-09-02 16:10:35Z","trace_id":"239d7e33-cb3b-45c4-9539-5e9eb80b2900","correlation_id":"f1948b22-4059-4885-9471-1bc1ab9b9fe2","error_uri":"https://login.microsoftonline.com/error?code=500011"} We have configure the API permission, we have grant permission by our own user with the url to grant. We are not administrators in the tenant. Is there a way to solve this without administrator permission?
Antti K. Koskela
2019-09-05 14:26:13
Hi Ignacio, That's an interesting error - it says it's looking for an app with id/name/URI "https://login.windows.net/common/oauth2/token/". Perhaps your configuration (or in commandlet's case, the parameters for the call) is a bit misconstructed?
Priya
2019-09-09 20:36:50)
Hi Antti, I cannot grant admin consent, Clicks on admin consent under enterprise application -> prompts for credential details-> runs into Exception: Correlation failed
Antti K. Koskela
2019-09-12 03:55:07
Hi Priya, Are you global admin (or at least cloud app admin)? If you are, in a case like this I'd open a ticket with Microsoft support!
Md Abid Husain
2019-09-18 06:04:09)
Hi Antti, I am using a free trial azure subscription for personal use and trying to get access token after authentication with azure active directory. I am able to get the authorization code and I am using that code in Postman with other fields. I am getting this error : "AADSTS65001: The user or administrator has not consented to use the application with ID .... I have done my app registrations correctly and also granted admin consent in azure. Please help me here.. I am stuck with this for the last 2-3 days. If you want I can provide the azure subscription details.
Antti K. Koskela
2019-10-09 17:08:34
Hi, What are you trying to do? The APIs you're calling affect the permissions you need to request, and if you're able to authenticate but not call the APIs properly, it sounds like a simple missing permission to me. Cheers!
Anon
2019-09-18 09:14:06)
What would be done in the case of a multi-tenant application? You have two AADs. Do you run suggestion #4 for both tenant/app-id? I've had an admin do this, plus clicking consent all over, but I'm still unable to authenticate. It's pretty frustrating!
Antti K. Koskela
2019-09-26 09:36:12
Hi, Which users are unable to authenticate? Users from both directories?
Danijel Vilenica
2020-01-10 12:55:10)
Hi Antti, I am getting the same error : “AADSTS65001: The user or administrator has not consented to use the application with ID …. We have 2 app registrations on azure, lets say app A and app B. I trying to get some data from A to B. In azure portal I already configured permission so the B app can have access to app A, and it's status is granted. I'm using msal-angular library to authenticate the user and achieve that. Here is my configuration: export const protectedResourceMap:[string, string[]][]=[ ['https://graph.microsoft.com/v1.0/me', ['user.read']], ['endpoint of app A',['scope from the app A']] ]; MsalModule.forRoot({ clientID: 'ClientId Of App B', authority: "https://login.microsoftonline.com/common/", validateAuthority: true, redirectUri: "http://localhost:4200/", cacheLocation : "localStorage", storeAuthStateInCookie: isIE, // set to true for IE 11 postLogoutRedirectUri: "http://localhost:4200/", navigateToLoginRequestUrl: true, popUp: !isIE, consentScopes: [ "user.read", "openid", "profile", "scope from the app A"], unprotectedResources: ["https://www.microsoft.com/en-us/"], protectedResourceMap: protectedResourceMap, logger: loggerCallback, correlationId: '1234', piiLoggingEnabled: true } ) So the first thing is to login in the app B, authentication is successful and the token is received and stored in the local storage. The second thing is making a http request to app A to get some data. When the http is called the error pops up. Help please!
PRABHAKARAN G
2020-07-24 14:53:32)
Hi, I am Prabhakaran I am using Azure authentication credentials for a .NET MVC project. When a Azure User,logins,it shows the error below ,

Server Error

AADSTS65001: The user or administrator has not consented to use the application with ID '680cd7a8-ddf3-49dc-9472-8ebcce2767fc' named 'Thome Owners Portal'. Send an interactive authorization request for this user and resource. Trace ID: a58c22d8-b594-4084-b802-15e5bc721800 Correlation ID: 41278121-1542-4c53-80e7-3c3b40a19b68 Timestamp: 2020-07-24 11:41:49Z

Antti K. Koskela
2020-07-29 23:23:19
Hi Prabhakaran, What have you tried so far?
Soroush
2020-08-17 21:00:46
I need to have the feature to register apps turned off. What are the workarounds please?
p whelan
2020-09-10 13:40:10)
Same error for me working with PowerShell. Yesterday I downgraded my SharePointPnPPowerShellOnline module (to try to get it to add data to the Term Store) but then it failed to connect using Connect-PnPOnline. I tried to uninstall and reinstall SharePointPnPPowerShellOnline but still getting ... Connect-PnPOnline : AADSTS65001: The user or administrator has not consented to use the application with ID '' named 'PnP  Management Shell'. Send an interactive authorization request for this user and resource. It worked yesterday! :(
Antti K. Koskela
2020-09-10 22:23:40
Huh - interesting. I'm using version 3.22.2006.2 (a rather old one), and it's working for me now. I did find a couple of GitHub issues describing the issue, and this might be a workaround for getting successfully connected at the very least: Connect-PnPOnline -PnPManagementShell -Url Should manage the consent flow as long as you have enough permissions! https://github.com/pnp/PnP-Sites-Core/issues/2732 https://github.com/pnp/sp-starter-kit/issues/436
Henry
2020-09-20 12:54:41)
Hi Antti, am having the same problem when trying to create a team(class team) via graph api. When i create a calendar, read emails and normal team via graph api which requires Delegated permissions type, it works but when creating a "class" team which requires Application permission type gives the above error. I have registered the app in azure and granted the required delegated and Application permissions as required by the MS documentation.
Henry
2020-09-20 12:57:11)
Sorry, am using asp.net core to interact with the graph api.
Antti K. Koskela
2020-09-21 15:10:40
Hi Henry, Has a global administrator consented to the app? Application permissions on Graph API seem to require global administrator instead of cloud app administrator. Is AADSTS65001 the error code you're getting?
Brendan Horner
2021-04-21 20:12:27)
One key addition to the information would be a scenario I just ran into: Azure Automation has "RunAs" accounts that will generate an app registration that you can use like any other app for Runbooks. If you wish to use this app registration with delegated permissions, you must TEMPORARILY add a redirect URI to that app registration so that the interactive consent can complete. Once you complete the consent, you can remove the URI.
Antti K. Koskela
2021-06-15 12:51:16
Thanks for your comment, Brendan! That's an interesting edge case you've run into... 😅
Somesh
2021-06-08 11:51:03)
SharePoint Online Management Shell and PnP.Pwershell can not go together. If want to execute PnP.PowerShell then must need to uninstall SharePoint Online Management Shell and restart the PC. My issue is solved just by uninstalling SharePoint Online Management Shell. PnP.PowerShell 1.6.0 SharePointPnPPowerShellOnline 3.29.2101.0
Antti K. Koskela
2021-06-15 12:56:17
Thanks for your comment, Somesh! I haven't run into this before, but then again, I haven't actually used SharePoint Online Management Shell for a while... What was the error you ran into, if I may ask? :)
el_topo
2021-07-07 18:27:08
It is possible to have them both installed and running at the same time. Just install PowerShell Core next to Windows PowerShell. This way you may have SharePointPnPPowerShellOnline installed on first one PowerShell and PnP.PowerShell on other one. I've been using them both on my machine for some time now without any issues.
Mujahid
2022-08-05 20:19:13)
aadsts500011 the resource principal named was not found in the tenant named. This can be happen if the application has not been installed by the administrator of the tenant or consented. I am getting same error while using flutter api although It's work fine in Postman. Is there anything else we required to mobile app?
Antti K. Koskela
2023-03-09 10:46:46
AADSTS500011 on the authentication request is usually caused by you actually calling the wrong tenant, as funny as it sounds 😅 So depending on your app registration and auth configuration, double-check the tenant id and that your application is really parsing the settings properly - if the request for example goes to the common endpoint for an enterprise application or a tenant-scoped app request, the app identity can't be resolved. I know it's been a while, so I hope you figured it out!
Ronak somahina
2022-12-21 11:47:04)
I want to know more about it
Ronak somahina
2022-12-21 12:07:01)
I mean how we get token from azure ad with C# code for based on user id and password. no browser involve . i just pass my user id password to api call generateazureadtoken. and it return me token from azure ad.
Antti K. Koskela
2023-03-09 10:15:19
Hi Ronak and thanks for your comment! For non-interactive sign-in, the preferred way would be one of the following:
  1. Using Managed Identity
  2. Using a Client Id + a certificate
  3. Using a Client Id + Client Secret
Logging in unattended using a user account (user id and password) is prone to issues and not very secure. There's more on unattended logging in for example here. The last time I developed a daemon and I just wanted to get it up and running quickly, I used ClientCredentials - here is more on that. And here's a sample I have published on how to use DefaultAzureCredential - if that matches your use case - to use whatever authentication method your app is configured to use (in my case I enabled Azure CLI to use locally and Managed Identity that'll work in the cloud): https://www.koskila.net/how-to-update-from-deprecated-microsoft-azure-services-appauthentication-to-new-and-shiny-azure-security-keyvaults-secrets/ Hope that helps!
← Back to home