Reputation: 29
Error AADSTS65001 while getting access token
I have registered an application in Azure AD. I am trying to get an access token for Azure SQL Database.
I am sending the request to https://login.microsoftonline.com/mytenant/oauth2/v2.0/token
But I am getting the below error as a response.
AADSTS65001: The user or administrator has not consented to use the application with ID
Is there something wrong with the authentication request? Or am I missing any permissions? If it is how to set those permissions? I don't know what's going wrong.
Can anyone help me out to solve this error?
Upvotes: 0
Views: 1292
Answers (3)
Reputation: 175
This may not be 100% relevant, but I encountered the same problem while using an application to obtain an updated access_token from a refresh_token for an external user that did not belong to the tenant domain. After wasting a great deal of time trying to figure work out consents and permission, I realised that I was calling the wrong end point.
So using the
`https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token`
gave me the AADSTS65001 error. I finally realised that (for users that do not belong to the tenant associated with the application) I needed to use the
`https://login.microsoftonline.com/common/oauth2/v2.0/token`
end point.
Complete code for those interested:
$client = new \GuzzleHttp\Client();
$url = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
$response = $client->post($url, [
'form_params' => [
'client_id' => $this->clientId,
'scope' => 'https://graph.microsoft.com/.default',
'refresh_token' => $refreshToken,
'grant_type' => 'refresh_token',
'client_secret' => $this->clientSecret,
],
]);
return json_decode((string) $response->getBody(), true)['access_token'];
Upvotes: 1
Reputation: 483
Privileged permissions (delegated or application type) require Admin Consent. If you know the directory id and application (client) id, you can send the consent link to an admin (with Global Admin role) who can grant the consent- https://login.microsoftonline.com/[your-azure-ad-directory-id]/adminconsent?client_id=[your-client-id]
Just replace the directory id and client id!
Upvotes: 1
Reputation: 10831
Initially please check with your admin to check if he/her had been consented to the request .
Please make sure to give basic permissions required to access the app and grant consent for them in portal . Or make sure the admin has consented .
Also see aadsts65001 and check if scope parameter added in the request for V2 endpoint.
See if you need to have Directory Readers role to access azure sql database(if not ask the admin to provide the same) or also select Directory.Read.All permissions from API permissions as above. or even we can set from roles and administrator section.
Upvotes: 1
Related Questions
- AADSTS70005: response_type 'id_token' is not enabled for the application
- Cannot validate AAD access token - IDX10511: Signature validation failed
- AADSTS50146 error when attempting to retrieve Oauth access_token
- How to solve AADSTS700016 error on login with Microsoft account?
- AADSTS700016: Failed to obtain access token when authenticating to Azure with MSAL
- Azure AD authentication : Permission error while fetching access token
- AADSTS700054: response_type 'id_token' is not enabled for the application
- AcquireTokenFailure `AADSTS700051`
- AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided
- AADSTS70002: Error validating credentials in my Azure AD App