The user or administrator has not consented to use the application
isaacrlevin opened this issue · 22 comments
I have followed the steps in this tutorial and am getting this error message when I call the WebApi Appservice from the Spa Appservice in Azure
Error description:AADSTS65001: The user or administrator has not consented to use the application with ID {my id} . Send an interactive authorization request for this user and resource.
My SPA app has permission to access to my Web Api and all the correct keys are in there. Is there a missing step in this process?
Hi, I had the same problem.
Also, I already edited the manifest file and change the 'oauth2AllowImplicitFlow' to true, but still not working.
@onmondo what did you do to resolve?
I would double check that everything in this step was saved correctly for the To Do SPA application in your Azure AD tenant
In the "Permissions to Other Applications" section, click "Add Application." Select "Other" in the "Show" dropdown, and click the upper check mark. Locate & click on the To Go API, and click the bottom check mark to add the application. Select "Access To Go API" from the "Delegated Permissions" dropdown, and save the configuration.
@isaac2004 try hitting "Grant Permission" for your app at https://portal.azure.com. Let me know if that fixes it.
Hitting "Grant Permission" in the AD App under "Required Permissions" indeed solved the problem. Incredibly unintuitive that the permissions are not changed on save.
Thanks @danieldobalian
Hi,
i am also getting same error still after Hit "Grant Permission" in Azure portal
error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' named 'LSNTestAPP'. Send an interactive authorization request for this user and resource.\r\nTrace ID: ceea736e-5935-4501-b605-e90c83064000\r\nCorrelation ID: f9848b48-7684-4093-aee0-00759ae607cb\r\nTimestamp: 2017-12-21 14:01:51Z",
"error_codes": [
65001
],
But while i use azure user account for authentication then it's work.
Please help me out why it's happening.
i solved it by https://docs.microsoft.com/zh-cn/azure/active-directory/active-directory-users-assign-role-azure-portal , set 'directory role' with 'golbal administrator'.
kinldy let me know the process to resolve this error , i need urgent
- Login as a tenant admin to https://portal.azure.com
- Open the registration for your app in the
- Go to Settings then Required Permissions
- Press the Grant Permissions button
If you are not a tenant admin, you cannot give admin consent
I am creating an application and adding permission via azure powershell commands. I have global admin credentials. Is there anyway to grant the permissions via powershell without any user interaction?
@isaac2004 try hitting "Grant Permission" for your app at https://portal.azure.com. Let me know if that fixes it.
It didn't fix the same issue for me. Any other solution please?
NOTE: I have implemented the below walkthrough using Dynamics CRM Online trial. I didn't need to register a separate trial for using Azure AD. The Azure AD was accessible for me in my O365 tenant readily.
- Find the registered app from azure AD
- Follow the URL to grant permission
- https://login.microsoftonline.com/common/adminconsent?client_id=< AD App Registration ID>&state=12345&redirect_uri= < APPLICATION URL > /login-redirect.html
- login using tenant’s administrator credentials
- Once it redirects to Microsoft permission grant page click “Accept” button to grant permission.
I have logged in as tenant admin (global admin) and then grant permissions for registered app. I see for all permissions granted access. Still when I call the API the response comes back is
"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'some guid' named 'some-app-name'. Send an interactive authorization request for this user and resource.
Not sure what would be the issue.
Did you consent to the Web API for all your tenant, @praveenbattula ?
It seems that the current version requires backend-app to expose and API and add Scope.
Refer - https://github.com/MicrosoftDocs/azure-docs/issues/35843
@jmprieur How to do this (consent) ? Currently I'm playing around wit AAD and the MSAL-ANGULAR. It work for some time, but after adding a new app registration I am not asked for a consent any more.
For everyone who also can not find "Grant Permission":
Switch under "App registrations" to the old portal version using the "App registrations (Legacy)" button. Maybe there is another way - but I haven't found it.
It should be in the "API permissions" tab, above the permissions lists
Go to your Azure Active Directory blade > App registrations > click on you application
Click on the link next to "Managed application in : "
In the overview you will find permissions
Check "scope" section in your request body.
Go to Azure and add requested scope to application
Im seeing this issue over and over again. Once solved an application works. However when I create a new aad application I run into this issue again and again. The weird thing is that the user actually consents to the application, however I see these errors in my backend with the code grant flow nonetheless. The user is not promted again, but login fails with invalid gran.
I am suspecting that the error log is actually misleading.
Hitting "Grant Permission" in the AD App under "Required Permissions" indeed solved the problem. Incredibly unintuitive that the permissions are not changed on save.
Thanks @danieldobalian
"The option to Grant admin consent here in the Azure AD admin center is pre-consenting the permissions to the users in the tenant to simplify the exercise. This approach allows the console application to use the resource owner password credential grant, so the user isn't prompted to grant consent to the application that simplifies the process of obtaining an OAuth access token. You could elect to implement alternative options such as the device code flow to utilize dynamic consent as another option."
From Microsoft Learn