InteractionRequiredAuthError: AADSTS65001: The user or administrator has not consented to use the application with ID

Question

Trying to create a simple SPA and call a Rest API in Azure, and I am getting InteractionRequiredAuthError: AADSTS65001: The user or administrator has not consented to use the application with ID 'xxx' named 'MySpaApp'. Send an interactive authorization request for this user and resource.

Did the following:

Registered the REST Api application Added permission for MyRestApi.Tasks.Get, its status is Granted for my users Added a scope for Tasks.Get Added a client application using the SPA application's Client Id

Registered the SPA application URI is http://localhost Implicit grant and hybrid flows: Access tokens checked ID tokens checked Supported account types: any organizational directory API Permissions, added MyRestApi.Tasks.Get

In Enterprise Applications, MySpaApp, clicked Grant Admin Consent for my users

Went back to MySpaApp, and verified that Tasks.Get has been granted

From MySpaApp, if I call msal.acquireTokenSilent with "Tasks.Get" for scope, I get: The user or administrator has not consented to use the application with ID 'xxx' named 'MySpApp'. Send an interactive authorization request for this user and resource.

If I call call msal.acquireTokenSilent with "User.Read" for scope, I get back a token.

Any further ideas on troubleshooting?

Is your scope set to: api://{api app client id}/Tasks.Get? — Carl Zhao
So I found that if I create an arbitrary scope name in the SPA registration (Expose an API), I can acquire the token by specifying that scope in the request. However, if I try to create a scope (in Expose an API) by the same name as the API permissions name, I get a "duplicate value" error. So, within an App, you cannot have a scope with the same name as a permission?? — Paul Kaplan
OK, I think that's it! Thanks! I was using the SPA client ID in the request, changed it to REST API client ID, and it's working now, or at least getting much further. Now I'm dealing with a 401 when I call the REST API method. — Paul Kaplan
Can you ask a new question? It is best to attach your code and link me to your new question. I will solve the 401 problem for you. Don't forget to parse your access token and attach it to the question. — Carl Zhao
Thanks, but I also solved the 401 issue. Turns out in appsettings.json in the custom REST API, in the "AzureAd" element, "ClientId" should be the AppId of the REST API. — Paul Kaplan

Carl Zhao Carl Zhao · Accepted Answer · 2021-05-16T11:03:14

Try my method:

Register an SPA in Azure and check id token and access token.

Then register a REST Api application and expose the api, and then add the client id of the spa application to the REST Api application.

Next, go to the spa application.

Under 'API permissions' click on 'Add permission', then click on the 'My APIs' tab.
Find your api application and select scope.
Click 'Add permissions'.
Grant admin consent.

Then use the implicit flow in the browser to get the token.

https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?
client_id={client_id}
&response_type=id_token token
&redirect_uri={redirect_uri}
&scope=openid api://{api app client id}/{scope name}
&response_mode=fragment
&state=12345
&nonce=678910

Parse the token：

InteractionRequiredAuthError: AADSTS65001: The user or administrator has not consented to use the application with ID

1 Answers