[AADSTS65001]: The user or administrator has not consented to use the application

3
votes

I am writing a test application which uses AAD to get acquire token, and this call succeeds for one user with TenantId "abc" but fails for another user with tenantId "xyz" with the message:

The user or administrator has not consented to use the application with ID f5986c14-cdb9-4e68-a89e-119d15b33afc. Send an interactive authorization request for this user and resource.

Please note:

  1. I have created one native application in my AAD

  2. I have added those users from another tenant into the Users list of the directory as User role and also, we granted the permissions for the native app to all the users in the directory in windows azure management portal Screenshot Here

2
c#adal
Welcome to Stack Overflow, please take the tour, make sure you read How do I ask a good question? and updated your question with more information. - lordrhodos

2 Answers

4
votes

The IT administrator of the company with xyz domain ([email protected]) has to give consent on behalf of the whole company so that the users of that company will be able to use your application. Here is a very good example of the flow:

https://blog.mastykarz.nl/implementing-admin-consent-multitenant-office-365-applications-implicit-oauth-flow/

2
votes

No matter native application and web application, if you want to enable the users on other tenant can use the application, the application required to give the consent first. And the figure you linked in the post only grant the permission for the tenant the app register.

AidaNow already provided using the adal.js to grant the admin consent. We also can make a HTTP request to grant the admin consent easily by using the prompt parameter. Here is the request for your reference(refer this link):

https://login.microsoftonline.com/common/oauth2/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&resource=https%3A%2F%2Fservice.contoso.com%2F
&state=12345
&prompt=admin_consent

More detail about consent, you can refer the document below:

How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern