0

I am building a MS Teams tab application that utilizes the SSO and Graph API. It will be published in App Store for commercial use. I had trouble implementing that and ask question here and it got resolved. Here is the question link: (MS Graph API AADSTS65001: The user or administrator has not consented to use the application with ID <app-id>)

I am successfully able to test it within my organization and i can retrieve the user list using Graph API.

Before starting the publishing process, I was trying to test it with another organization and it did not work. I am able got the ID Token + Access Token from SSO for other organization but when I am trying to exchange this token to get the Graph API access token It gave me the same error i.e.

MS Graph API AADSTS65001: The user or administrator has not consented to use the application with ID <app-id>

Since this not working for that other organization, I am fearing that it won't work if I publish it and will give the same error message.

Since it's working correctly with my organization, I am not sure what I am missing here and why it does not work with the other organization.

Here is the account Type: enter image description here

Here is API permission: I removed all the permission that requires admin consent just to check if that works. enter image description here Any help would be appreciated. Thanks!

Devesh Tiwari
  • 85
  • 1
  • 12
  • Could you include what [account type](https://i.imgur.com/Ttb9PCe.png) you selected while registering the application? – Sridevi Jun 09 '23 at 05:29
  • Hi @Sridevi, the account type used during app registration is "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)" – Devesh Tiwari Jun 09 '23 at 05:30
  • Also when exchanging the Graph API access token, I tried it with 2 different urls: https://login.microsoftonline.com/common/oauth2/v2.0/token and https://login.microsoftonline.com/{TenantId}/oauth2/v2.0/token – Devesh Tiwari Jun 09 '23 at 05:32
  • The way I am testing is, I am just uploading the manifest package to the other organization. It works till SSO but when my code try to exchange the SSO token with Graph API token, it fails – Devesh Tiwari Jun 09 '23 at 05:44
  • Hey @Sridevi, I updated the question with the screenshot of the account type. Thanks – Devesh Tiwari Jun 09 '23 at 06:00
  • Could you include what **API permissions** are added when you upload the manifest package to the other organization? – Sridevi Jun 09 '23 at 09:04
  • Hi @Sridevi, I have updated the question with the screenshot of the permissions. Also, the scope is - https://graph.microsoft.com/User.Read email openid profile offline_access User.ReadBasic.All – Devesh Tiwari Jun 12 '23 at 05:14
  • Could you try assigning `User.Read.All` **Delegated** permission in that application and check? – Sridevi Jun 12 '23 at 05:17
  • Hi @Sridevi, Initially, it was User.Read.All but it didn't work hence I tried User.ReadBasic.All. – Devesh Tiwari Jun 12 '23 at 05:41
  • Even though my app works correctly with my Organization, I am kind of blocked because it does not work with other organizations. I tried to build another app from scratch but that also failed during access_token exchange for Graph API. – Devesh Tiwari Jun 12 '23 at 06:36
  • So, I created a brand-new application by following the steps from https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/tab-sso/nodejs and now it's working. May be something was of in the authentication - redirect URls. But finally, all the blockers are gone now. – Devesh Tiwari Jun 16 '23 at 07:47
  • @DeveshTiwari Post your solution approach as an answer so that it can help other community member with same type of issue. – Naveen Sharma Jun 26 '23 at 10:34

1 Answers1

0

I created an Azure AD Multi-Tenant Application like below:

enter image description here

Added API permissions:

enter image description here

I generated the access token by using below parameters:

POST https://login.microsoftonline.com/common/oauth2/v2.0/token

grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
client_id: <appID>
client_secret: <secret>
scope: https://graph.microsoft.com/User.Read email openid profile offline_access User.Read.All
assertion:assertion
requested_token_use:on_behalf_of

Access token got generated successfully like below:

enter image description here

The error "AADSTS65001: user or administrator has not consented to use the application with" usually occurs if you are not granting Admin consent to the API permissions or passing invalid scope.

But in your scenario, you are passing scope correctly and granting Admin consent too. Hence re-deploy the Azure AD Application and try.

As per @Devesh Tiwari, the issue resolved by creating the Azure AD Multi-Tenant Application.

Reference:

Microsoft-Teams-Samples/samples/tab-sso/nodejs at main · OfficeDev/Microsoft-Teams-Samples · GitHub by Prithvi-MSFT

Comment from @Devesh Tiwari

Actually, the issue was coming because the consent window that was coming for user only had the basic permission grant. It didn't had User.ReadBasic.All and Presence.Read.All permission. I had a call with MS Dev support and they said, 'Since I need additional permission, I will have to ask the consent again with additional scope' so I had to implement a button that takes the user to browser, ask the consent for additional scope. This is working now for me but the problem is that user have to leave MS teams to give the consent.

Devesh Tiwari
  • 85
  • 1
  • 12
Rukmini
  • 6,015
  • 2
  • 4
  • 14