AADSTS65001: The user or administrator has not consented to use the application with ID '<application ID>

6
votes

We following the v2 of the OAuth2 of Microsoft Code grant flow as documented in the following,

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

After we created an application in App Register under Microsoft Azure, and try to get the code from the following url

https://login.microsoftonline.com/concept4.net/oauth2/v2.0/authorize?client_id=&response_type=code&redirect_uri=https://postman-echo.com/get&response_mode=query&scope=profile%20openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read&state=skip_get_token2&prompt=consent

Then we got the following error

{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID '' named 'c4app2019'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 46424a2f-a3a2-45da-8902-888f5ca61c00\r\nCorrelation ID: 49d0a6ad-e158-4bc9-97b8-a6391c6470bb\r\nTimestamp: 2019-12-11 07:51:31Z","error_codes":[65001],"timestamp":"2019-12-11 07:51:31Z","trace_id":"46424a2f-a3a2-45da-8902-888f5ca61c00","correlation_id":"49d0a6ad-e158-4bc9-97b8-a6391c6470bb","suberror":"consent_required"}

Any idea what permission we need to grant to our application?

enter image description here

4
azureoauth-2.0active-directory
Is the enterprise application in this tenant concept4.net? Could you try it with the tenant id? - Joy Wang-MSFT
Yes, the application is under concept4net, Use tenant instead of concept4.net, the same error return. - raymond.mh.ng
Try to remove the &prompt=consent parameter in the url. - Joy Wang-MSFT
BTW, if I use incorrect domain (other than concept4.net) to get the code, it will said my "More information required" for my account, If I do it to get token, it will say my application cannot find in the directory "xxx" - raymond.mh.ng
docs.microsoft.com/en-us/azure/active-directory/develop/… - Tony Ju

4 Answers

6
votes

I can not reproduce your issue on my side. Here are my steps for your reference.

1.Create an application with User.Read and profile permissions.

enter image description here

2.Since the permissions I added don't need admin consent, so I can consent by the first time I login.

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=59437d85-46f8-409c-8211-b3db91a8b0e5
&response_type=code
&redirect_uri=http://localhost
&response_mode=query
&scope=https://graph.microsoft.com/User.Read
&state=12345

3.Get the token by using the code I got from step2

enter image description here

To locate your issue, please provide the screenshot like step2(App registrations->your application->API permissions). And the value of scope you used to get code/token.

1
votes

In case it's helpful to anyone, I was running into the same problem using the magical AzureServiceTokenProvider class from the Microsoft.Azure.Services.AppAuthentication.1.3.1 package. Very simple code

var tokenProvider = new AzureServiceTokenProvider();
string token = tokenProvider.GetAccessTokenAsync("https://mytenant.onmicrosoft.com/8a0bec0f-x-x-x-x").GetAwaiter().GetResult(); // Application ID URI

My error message was

AADSTS65001: The user or administrator has not consented to use the application with ID 'd7813711-9094-4ad3-a062-cac3ec74ebe8'. Send an interactive authorization request for this user and resource.

I couldn't find this d7813711 guid anywhere in my Azure AD. After looking into how this class works in a decompiler, it turns out when you don't specify an app ID, the class defaults to this guid. Maybe this guid is valid across tenants in Azure? To fix the issue so you can get a token for your app, simply add this as an authorized client application.

enter image description here

0
votes

[Additional test 1] Step 1: I have create another app the use less API permission, which has the same issue

enter image description here

Step 2: Get code by the following url https://login.microsoftonline.com/concept4.net/oauth2/v2.0/authorize?client_id=15bf7752-....-c51cd145174c&response_type=code&redirect_uri=https://postman-echo.com/get&response_mode=query&scope=https://graph.microsoft.com/User.Read&state=skip_get_token2

and got

enter image description here

Step 3:

It seems working

enter image description here

It seems that the scope in Microsoft document for getting code and token is not correct or need some additional permission.

0
votes

We also had this issue. We have updated our graph client to a newer version. We have done the following steps:

  • Revoke all admin consent
  • Remove all permissions
  • Add removed permissions back
  • Grant admin consent

I hope this will help someone with troubleshooting.