Skip to content
DevOps AI ToolKit
Newsletter
All guides
Azure with AI By James Joyner IV · · 7 min read

Azure Error: 'AADSTS65001: The user or administrator has not consented to use the application' — Cause, Fix, and Troubleshooting Guide

Quick answer

Fix Entra ID AADSTS65001: no consent to use the application. Grant admin consent for the app's permissions or complete the user consent flow.

Part of the Microsoft Entra ID (Azure AD) Sign-in Errors hub
  • #azure
  • #cloud
  • #troubleshooting
  • #errors
  • #entra
Free toolkit

Fixing errors like this? Get 500 free DevOps AI prompts

500 copy-paste AI prompts for the stack you actually run — one PDF, free.

Overview

Entra ID returns AADSTS65001 when an application requests an access token for permissions (scopes/roles) that no one has consented to for that app in the tenant. Authentication itself succeeded — the identity is known — but authorization to the requested API permission was never granted. The literal error:

AADSTS65001: The user or administrator has not consented to use the application with ID
'11112222-3333-4444-5555-666677778888' named 'my-api-client'. Send an interactive authorization
request for this user and resource. Trace ID: ... Correlation ID: ... Timestamp: 2026-07-12 14:02:33Z

The message names the application id and tells you the remedy directly: an admin (or the user) must consent to the permissions the app is asking for.

Symptoms

  • OAuth token acquisition fails with AADSTS65001 (interactive login, on-behalf-of flow, or a daemon requesting app permissions).
  • A web app or API client redirects to an error page after sign-in instead of returning a token.
  • A newly-registered app, or one that just added an API permission, stops working until consent is granted.
  • The Enterprise Application shows permissions in a “not granted” state in the portal.

Common Root Causes

  • Admin consent never granted — the app requests permissions that require admin consent (e.g., application permissions, or high-privilege Graph scopes) and no admin has approved them.
  • New permission added — an existing app added a scope/role; previously-granted consent does not cover the new permission.
  • User consent disabled — the tenant blocks user consent, so only an admin can grant it, and none has.
  • Wrong resource/scope requested — the app asks for a scope on an API it was never configured for.
  • Consent granted in a different tenant — a multi-tenant app was consented in tenant A but is being used in tenant B where it has no consent.

How to diagnose

Identify the app and the permissions it is requesting:

az ad app show --id 11112222-3333-4444-5555-666677778888 \
  --query "requiredResourceAccess" -o json

Check whether an enterprise application (service principal) for it exists in the tenant and what has been granted:

az ad sp show --id 11112222-3333-4444-5555-666677778888 \
  --query "{name:displayName, id:id}" -o json

az ad app permission list-grants \
  --id 11112222-3333-4444-5555-666677778888 -o json

If the grant list is empty (or missing the scope the token needs), consent has not been given. Confirm the tenant’s user-consent policy — if user consent is off, an admin must act:

az rest --method get \
  --url "https://graph.microsoft.com/v1.0/policies/authorizationPolicy" \
  --query "defaultUserRolePermissions.permissionGrantPoliciesAssigned" -o json

Fixes

Grant admin consent for the app’s configured permissions (requires Privileged Role Administrator / Global Administrator):

az ad app permission admin-consent --id 11112222-3333-4444-5555-666677778888

This creates the tenant-wide consent grant so the app can obtain tokens for its permissions.

Grant a specific Graph permission and then admin-consent, if you are adding one:

# Example: add Directory.Read.All (application permission) then consent
az ad app permission add \
  --id 11112222-3333-4444-5555-666677778888 \
  --api 00000003-0000-0000-c000-000000000000 \
  --api-permissions 7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role
az ad app permission admin-consent --id 11112222-3333-4444-5555-666677778888

Use the admin-consent URL for a multi-tenant app so an admin in the using tenant approves it:

https://login.microsoftonline.com/<tenant-id>/adminconsent?client_id=11112222-3333-4444-5555-666677778888

For delegated scopes where user consent is allowed, an interactive sign-in with the consent prompt lets the user approve; otherwise route it to an admin.

What to watch out for

  • Consent is per-permission. Adding a new scope/role after consent requires re-consenting; old consent does not cover new permissions.
  • Application permissions always need admin consent. App-only (client-credentials) flows can never be user-consented — an admin must grant.
  • Propagation delay. After admin consent, allow a short delay before the token request succeeds.
  • Multi-tenant means multi-consent. Each customer tenant must consent independently; consent in your home tenant does not carry over.
  • AADSTS700016 / AADSTS50076 — application-not-found and MFA-required sign-in errors from Entra ID.
  • AADSTS50105 — the signed-in user is not assigned to a role for the application.
  • AADSTS7000215 — invalid client secret for the app’s credential.
Free download · 368-page PDF

Get 500 Battle-Tested DevOps AI Prompts — Free

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.