MS Graph API AADSTS65001: The user or administrator has not consented to use the application with ID <app-id>
I am building a team's configurable tab. As part of the requirement, I need to implement SSO and then call MS Graph API calls to get the list of user in the team.
I am following the below artical that explains the entire flow:
https://www.youtube.com/playlist?list=PLWZJrkeLOrbZ3uG8Xb8yOUeWu7UDu4Q_-
So far, I am succesfully able to perfom the SSO as mentioned in the following 2 videos: https://www.youtube.com/watch?v=J3KCjpZGiEI&list=PLWZJrkeLOrbZ3uG8Xb8yOUeWu7UDu4Q_-&index=2
https://www.youtube.com/watch?v=TRfZDx7N6Fw&list=PLWZJrkeLOrbZ3uG8Xb8yOUeWu7UDu4Q_-&index=4
I am able got the ID Token + Access Token from SSO but when I am trying to exchange this token to get the Graph API access token (as mentioned in https://www.youtube.com/watch?v=E6bbyPVK8Q0&list=PLWZJrkeLOrbZ3uG8Xb8yOUeWu7UDu4Q_-&index=5), I am getting the following error:
AADSTS65001: The user or administrator has not consented to use the application with ID <webapi_ app_id>.
I went through the comment mentioned in the following stack overflow post, but it didn't resolve my issues:
AADSTS65001: The user or administrator has not consented to use the application with ID <app-id>
Here is my code to get the Graph API access token:
const clientId = {clientId};
const clientSecret = {clientSecret};
const SSOToken = req.query.ssoToken
const aadTokenEndPoint = `https://login.microsoftonline.com/${
jwtDecode<any>(SSOToken).tid
}/oauth2/v2.0/token`;
const oAuthOBOParams = {
grant_type: "urn:ietf:params:oauth:grant-type:jwt:bearer",
client_Id: clientId,
client_secret: clientSecret,
assertion: SSOToken,
requested_token_use: "on_behalf_of",
scope: "https://graph.microsoft.com/User.Read email openid profile offline_access User.Read.All",
};
const oAuthOboRequest = Object.keys(oAuthOBOParams)
.map((key, index) => `${key}=${encodeURIComponent(oAuthOBOParams[key])}`)
.join("&");
const HEADERS = {
accept: "application/json",
"content-type": "application/x-www-form-urlencoded",
};
log({ HEADERS, oAuthOboRequest, oAuthOBOParams, aadTokenEndPoint });
try {
const response = await axios.post(aadTokenEndPoint, oAuthOboRequest, {
headers: HEADERS,
});
log(response);
if (response.status === 200) {
res.status(200).send(response.data);
} else {
if (
response.data.error === "invalid_grant" ||
response.data.error === "interaction_required"
) {
res.status(403).json({ error: "consent_required" });
} else {
res.status(500).json({ error: "Could not exchange access token" });
}
}
} catch (error) {
res.status(400).json({ error: `unknown error ${error}` });
}
API Permission
Expose API
**Authentication - I just added the URL but I does not have the auth-end receiving point in server **
Assertion-Access_Token Code
Team's Permission
Accepting the Pop-up permission
Postman
From your API permissions screenshot, I observed that you added
User.Read.Allpermission of Application type which won't work with on-behalf-of flow.
I registered one Azure AD application and granted API permissions same as you like this:
When I tried to generate token via Postman by passing below parameters, I got same error as you like below:
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
client_id: <appID>
client_secret: <secret>
scope: https://graph.microsoft.com/User.Read email openid profile offline_access User.Read.All
assertion:assertion
requested_token_use:on_behalf_of
Response:
To resolve the error, you need to add User.Read.All permission of Delegated type and grant admin consent to it like below:
When I send the request again after adding above permission, I got access token successfully like below:
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
client_id: <appID>
client_secret: <secret>
scope: https://graph.microsoft.com/User.Read email openid profile offline_access User.Read.All
assertion:assertion
requested_token_use:on_behalf_of
Response:
In your case, make sure to add User.Read.All permission of Delegated type and grant admin consent as you are passing it in scope parameter.
- Use Oauth2+Django to get authorization to access user's Gmail
- Ruby & IMAP - Accessing Office 365 with Oauth 2.0
- Facebook graph api returns 400 bad request with correct access token
- How do I add audience validation using Spring OAuth without needing the issuer?
- How to make Depends optional in FastAPI?
- Getting refresh token for gmail API with Spring Security
- Creating firebase user with authentication information from Salesforce
- Where to store the refresh token on the Client?
- AuthorizedClientServiceOAuth2AuthorizedClientManager: accessToken cannot be null
- 3rd party cookies in Android 14/New Chrome using Angular/Firebase Auth/Hosting and NodeJs in Server
- Swift Discord OAuth2 redirect URi not supported by Client
- Apim policy to validat token for b2b and as well as b2c tenant token endpoints
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Google APIs Console - missing client secret
- Automating access token refreshing via interceptors in axios
- Supabase does not append code parameter to the redirect URL after OAuth login
- How/why is login page redirect required?
- Where can I find a list of scopes for Google's OAuth 2.0 API?
- Using ASP.Net Core Identity in parallel with OpenIdConnect OAuth2
- Spring security JWT without OAuth
- Add OAuth authentication for HTTP request triggers
- Get email, phone, etc from OAuth2 login
- BFF pattern for native apps in OAuth 2.0?
- Why is PKCE `code_verifier` calculated server-side in BFF pattern?
- Apache strips down "Authorization" header
- Fake Firebase Auth Tokens for Test Environment
- Access Not Configured for Google OAUTH Login
- Authenticating to Microsoft 365 SMTP servers via OAuth2 only works for users without MFA
- Getting user data through an Azure AD OAuth login - React Native Expo App
- Callback github URI with Oauth2 and Spring Boot 3.4.0 not found after authentication