Issue with .NET application when users try to sign in using MSAL. Authentication only works for user that created the application registration.

Christian Bowman 0 Reputation points
2024-04-12T14:14:13.61+00:00

I am having issues with a .NET application when users try to sign in using MSAL. Authentication does seem to work with my account, which was the one that created the application registration.

The error message a user gets when they try to sign in is AADSTS65001: The user or administrator has not consented to use the application. Which leads me to think it is an issue with the application registration configuration.

I feel like I may be missing something in the configuration settings. I have exposed the API granted all the permissions that I believed was necessary but users are still having the error when trying to log in.

API is exposed

ExposedAPI

API permissions granted, admin consent has been granted for all API permissions.

PermissionsAPI

My MSAL Auth configuration code:

Public Sub ConfigureAuth(ByVal app As IAppBuilder)

        ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls Or SecurityProtocolType.Tls11 Or SecurityProtocolType.Tls12 Or SecurityProtocolType.Ssl3
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType)
        app.UseCookieAuthentication(New CookieAuthenticationOptions() With {
               .ExpireTimeSpan = System.TimeSpan.FromMinutes(1)
        })
        app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll)

        app.UseOpenIdConnectAuthentication(New OpenIdConnectAuthenticationOptions With {
            .ClientId = appID,
            .Authority = authority,
            .PostLogoutRedirectUri = redirectUri,
            .TokenValidationParameters = New TokenValidationParameters() With {
                .ValidateIssuer = False
            },
            .Notifications = New OpenIdConnectAuthenticationNotifications() With {
                .AuthorizationCodeReceived = AddressOf OnAuthorizationCodeReceivedAsync,
                .AuthenticationFailed = AddressOf OnAuthenticationFailedAsync
            }
        })
        app.UseStageMarker(PipelineStage.Authenticate)

    End Sub
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,521 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akhilesh 4,775 Reputation points Microsoft Vendor
    2024-04-15T08:01:02.6066667+00:00

    Hi @Christian Bowman

    Thank you for reaching out to the community forum!

    I understand that you are facing issue with application when users try to sign in using MSAL.

    Authentication only works for the user that created the application registration. The error message a user gets when they try to sign in is AADSTS65001.

    The AADSTS65001 error occurs for the application registered with Azure AD (Delegated Permissions), which requires either user or an administrator’s consent for the permissions it needs.
    As you mentioned you have already granted the admin consent, but users are still having the error when trying to log in.

    It seems the error is related to user consent, when a user tries to sign in to your application, they need to consent to the permissions that your application is requesting.

    To fix the issue could you please check if the user has already consented to the application, you can do this by going to the Entr admin center portal by selecting your Enterprise application and choose your application from the list, and then selecting "Users and groups" from there you can see add and remove the user by this way you can make the user to consented to the application.

    Also, If your app needs user consent, you can construct a consent by following URL: https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id} Replace {clientId} with the client ID of your application registration and replace {tenant-id} with your tenant ID.

    Reference: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal
    https://nishantrana.me/2020/12/01/fixed-aadsts65001-the-user-or-administrator-has-not-consented-to-use-the-application-with-id/
    https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=portal

    https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-consent-single-user?pivots=msgraph-powershell

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Akhilesh.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.