0

In Azure AD I created 2 app registrations with the same parameters and I want to use them for different environments. When I use the first registration everything works fine. But after switching to another one I get an error

AADSTS65001: The user or administrator has not consented to use the application with ID

when trying to acquire a token:

var result = await app.AcquireTokenOnBehalfOf(new[] { "User.Read" }, userAssertion).ExecuteAsync();

I have no idea why this error occurs since I configure only one permission and it's not required an admin concent enter image description here

On client side I tried to add a parameter prompt=consent in order to show a dialog for providing permissions by user, but it didn't help.

Do you have any ideas why this error occurs in my case?

Nikolai Khe
  • 48
  • 1
  • 9

2 Answers2

1

Some methods for you:

  1. Make sure the settings are like this:

Navigate to Azure Active Directory -> Enterprise applications -> Consent and permissions -> User consent settings.

enter image description here

Navigate to Azure Active Directory -> Enterprise applications -> User settings.

enter image description here

  1. Several hours ago, I also faced the same error. Try to delete the permission and add it again. It will take effect in about 10 minutes.

Test in browser:

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id={client-id}
&response_type=code
&redirect_uri=http://localhost
&response_mode=query
&scope=https://graph.microsoft.com/User.Read
&state=12345
unknown
  • 6,778
  • 1
  • 5
  • 14
  • Thanks. I had already checked this setting. I also tried to delete the permission and the app registration, it didn't helped. The request, which returns the error: `https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token?client_id={clientId}&client_info=1&client_secret={clientSecret}&scope=offline_access+openid+profile+user.read&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion={token}` – Nikolai Khe Feb 22 '21 at 23:26
  • Try the [steps](https://stackoverflow.com/a/65608406/13308381) of On-Behalf-Of flow. Please check whether the API permission of Web API B is admin only, if yes you need to click grant admin consent for xxx. – unknown Feb 23 '21 at 02:33
0

Same error AADSTS65001, and the below steps solved my issue of EWS HttpRequest with OAuth token to application mailbox :

  • Goto "Overview" of the Registered App, look for "Managed application in local directory" and click the link.
  • Then look for "Permissions" under the [Security] and make sure ALL upfront-configured API Permissions reflected/derived to "user consent" list ( instead of showing “No user consented permissions found for the application” )
  • Request to IT 365 Admin to facilitates "Admin Consent" grant for the delegated permissions ( whichever that missing e.g : Office 365 Exchange Online>EWS.AccessAsUser.All )

... ... ...

// C#

// Get a token with delegated auth

var ewsScopes = new string[] { EWS_OAuthUrl };

var cred = new NetworkCredential(Credentials_EMailAcc, Credentials_EMailPswd);

var authResult = await pca.AcquireTokenByUsernamePassword(new string[] { EWS_OAuthUrl }, cred.UserName, cred.SecurePassword).ExecuteAsync();

// Configure the ExchangeService with the access token

ExServ = new ExchangeService();

ExServ.Url = new Uri(EWS_Url);

ExServ.Credentials = new OAuthCredentials(authResult.AccessToken);
SK Choor
  • 1
  • 2