AADSTS65001: The user or administrator has not consented to use the application with ID '

Question

We following the v2 of the OAuth2 of Microsoft Code grant flow as documented in the following,

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

After we created an application in App Register under Microsoft Azure, and try to get the code from the following url

https://login.microsoftonline.com/concept4.net/oauth2/v2.0/authorize?client_id=&response_type=code&redirect_uri=https://postman-echo.com/get&response_mode=query&scope=profile%20openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read&state=skip_get_token2&prompt=consent

Then we got the following error

{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID '' named 'c4app2019'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 46424a2f-a3a2-45da-8902-888f5ca61c00\r\nCorrelation ID: 49d0a6ad-e158-4bc9-97b8-a6391c6470bb\r\nTimestamp: 2019-12-11 07:51:31Z","error_codes":[65001],"timestamp":"2019-12-11 07:51:31Z","trace_id":"46424a2f-a3a2-45da-8902-888f5ca61c00","correlation_id":"49d0a6ad-e158-4bc9-97b8-a6391c6470bb","suberror":"consent_required"}

Any idea what permission we need to grant to our application?

Answer 1

I can not reproduce your issue on my side. Here are my steps for your reference.

1.Create an application with User.Read and profile permissions.

2.Since the permissions I added don't need admin consent, so I can consent by the first time I login.

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=59437d85-46f8-409c-8211-b3db91a8b0e5
&response_type=code
&redirect_uri=http://localhost
&response_mode=query
&scope=https://graph.microsoft.com/User.Read
&state=12345

3.Get the token by using the code I got from step2

To locate your issue, please provide the screenshot like step2(App registrations->your application->API permissions). And the value of scope you used to get code/token.

Answer 2

In case it's helpful to anyone, I was running into the same problem using the magical AzureServiceTokenProvider class from the Microsoft.Azure.Services.AppAuthentication.1.3.1 package. Very simple code

var tokenProvider = new AzureServiceTokenProvider();
string token = tokenProvider.GetAccessTokenAsync("https://mytenant.onmicrosoft.com/8a0bec0f-x-x-x-x").GetAwaiter().GetResult(); // Application ID URI

My error message was

AADSTS65001: The user or administrator has not consented to use the application with ID 'd7813711-9094-4ad3-a062-cac3ec74ebe8'. Send an interactive authorization request for this user and resource.

I couldn't find this d7813711 guid anywhere in my Azure AD. After looking into how this class works in a decompiler, it turns out when you don't specify an app ID, the class defaults to this guid. Maybe this guid is valid across tenants in Azure? To fix the issue so you can get a token for your app, simply add this as an authorized client application.

Answer 3

[Additional test 1] Step 1: I have create another app the use less API permission, which has the same issue

Step 2: Get code by the following url https://login.microsoftonline.com/concept4.net/oauth2/v2.0/authorize?client_id=15bf7752-....-c51cd145174c&response_type=code&redirect_uri=https://postman-echo.com/get&response_mode=query&scope=https://graph.microsoft.com/User.Read&state=skip_get_token2

and got

Step 3:

It seems working

It seems that the scope in Microsoft document for getting code and token is not correct or need some additional permission.

Answer 4

We also had this issue. We have updated our graph client to a newer version. We have done the following steps:

• Revoke all admin consent
• Remove all permissions
• Add removed permissions back
• Grant admin consent

I hope this will help someone with troubleshooting.