Share via

Unable to generate access token. invalid_grant error, AADSTS65001:The user or administrator has not consented to use the application with ID

Myles Gamez 0 Reputation points
2024-04-30T03:17:11.18+00:00

Context: I'm building a web app that intends to provide insights and analysis on user's Sharepoint and OneDrive data. Users should be able to come to my web app, connect their Sharepoint and OneDrive data by going through some oauth flow and agreeing to 'read' scopes we want on their workspace data, and then we should be able to generate an access and refresh token on their behalf for usage in our app according to the scopes they agreed to. For example we want to be able to search over a user's sharepoint data given some input query.

Problem: I continue to face this error trying to generate an access token: 

400 Bad Request: "{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'fa30181d-73e3-4ac8-bc74-cdb9323c19f6' named 'appTesting'. Send an interactive authorization request for this user and resource. Trace ID: 24846f12-6d9e-4a04-b3bf-abb970710e00 Correlation ID: c0886b13-403b-4843-8fbe-34525d564452 Timestamp: 2024-04-30 02:15:00Z","error_codes":[65001],"timestamp":"2024-04-30 02:15:00Z","trace_id":"24846f12-6d9e-4a04-b3bf-abb970710e00","correlation_id":"c0886b13-403b-4843-8fbe-34525d564452","suberror":"consent_required"}"
  • I'm following this guide: https://learn.microsoft.com/en-us/graph/auth-v2-user?tabs=http
  • Scopes I'm requesting: 
      offline_access User.Read Files.Read
  • My current set up works for generating the oauth url successfully per the guide, I see the scopes my app is requesting (User.Read, Files.Read, offline_access), I accept and am successfully redirected to a url containing the code, state, and session_state, however I get the invalid_grant error trying to generate the access token with the code returned from the oauth url flow following the specifications in the guide.
  • I've added the APIs I want and granted admin consent for the APIs I want for permissions for in Application > API permissions > Grant admin consent, I. have also added the User.Read and Files.Read scopes to the 'Expore an API' tab.
  • I can confirm the redirect uri, client secret, client id, and tenant ID being used in my code matches up to the values in the Azure UI
  • In the web app I created in App Registrations, under Authentication sidebar tab, the Implicit grant and hybrid flows checkboxes are unchecked, also 'Allow public client flows' setting is set to false.

It seems to me like I'm following the guide precisely, and there's some issue in my Azure UI configuration somewhere that I don't know about and that isn't included in the guide. Any advice for resolving this issue would be much appreciated!

TLDR and main question, what is this error caused by when trying to generate an access token? 

  400 Bad Request: "{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'fa30181d-73e3-4ac8-bc74-cdb9323c19f6' named 'appTesting'. Send an interactive authorization request for this user and resource. Trace ID: 24846f12-6d9e-4a04-b3bf-abb970710e00 Correlation ID: c0886b13-403b-4843-8fbe-34525d564452 Timestamp: 2024-04-30 02:15:00Z","error_codes":[65001],"timestamp":"2024-04-30 02:15:00Z","trace_id":"24846f12-6d9e-4a04-b3bf-abb970710e00","correlation_id":"c0886b13-403b-4843-8fbe-34525d564452","suberror":"consent_required"}"
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,913 questions
OneDrive
OneDrive
A Microsoft file hosting and synchronization service.
853 questions
SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,823 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,871 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Harpreet Singh Matharoo 7,491 Reputation points Microsoft Employee
    2024-04-30T05:36:01.51+00:00

    Hello @Myles Gamez ,

    Thank you for reaching out to Microsoft QnA Support. I would like to inform you that the error AADSTS65001: The user or administrator has not consented to use the application is a common issue in Azure Active Directory (AAD) when an application tries to access resources or APIs but the user or administrator has not given consent.

    This error usually occurs when you missed granting admin consent to the added scope while retrieving the access token. Here are some potential solutions:

    • You or your administrator may need to grant consent to the application. This can be done in the Azure portal, under the “API permissions” section of the application registration.
    • Ensure that the necessary API permissions are added to your application and that admin consent is granted if required.
    • Prompt Parameter: If you’re using the prompt=consent parameter in your authorization URL, try removing it.

    Remember, changes in the Azure portal can take a few minutes to propagate. If you’ve recently made changes, you might need to wait a bit before testing again.

    Document references:

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  2. CarlZhao-MSFT 37,626 Reputation points
    2024-04-30T05:42:47.32+00:00

    Hi @Myles Gamez

    Try setting the scope value to https://graph.microsoft.com/.default, which will ensure you are using delegated permissions for the graph API.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    0 comments