Azure Error: 'AADSTS65001: The user or administrator has not consented to use the application' — Cause, Fix, and Troubleshooting Guide
Fix Entra ID AADSTS65001: no consent to use the application. Grant admin consent for the app's permissions or complete the user consent flow.
- #azure
- #cloud
- #troubleshooting
- #errors
- #entra
Fixing errors like this? Get 500 free DevOps AI prompts
500 copy-paste AI prompts for the stack you actually run — one PDF, free.
Overview
Entra ID returns AADSTS65001 when an application requests an access token for permissions (scopes/roles) that no one has consented to for that app in the tenant. Authentication itself succeeded — the identity is known — but authorization to the requested API permission was never granted. The literal error:
AADSTS65001: The user or administrator has not consented to use the application with ID
'11112222-3333-4444-5555-666677778888' named 'my-api-client'. Send an interactive authorization
request for this user and resource. Trace ID: ... Correlation ID: ... Timestamp: 2026-07-12 14:02:33Z
The message names the application id and tells you the remedy directly: an admin (or the user) must consent to the permissions the app is asking for.
Symptoms
- OAuth token acquisition fails with
AADSTS65001(interactive login, on-behalf-of flow, or a daemon requesting app permissions). - A web app or API client redirects to an error page after sign-in instead of returning a token.
- A newly-registered app, or one that just added an API permission, stops working until consent is granted.
- The Enterprise Application shows permissions in a “not granted” state in the portal.
Common Root Causes
- Admin consent never granted — the app requests permissions that require admin consent (e.g., application permissions, or high-privilege Graph scopes) and no admin has approved them.
- New permission added — an existing app added a scope/role; previously-granted consent does not cover the new permission.
- User consent disabled — the tenant blocks user consent, so only an admin can grant it, and none has.
- Wrong resource/scope requested — the app asks for a scope on an API it was never configured for.
- Consent granted in a different tenant — a multi-tenant app was consented in tenant A but is being used in tenant B where it has no consent.
How to diagnose
Identify the app and the permissions it is requesting:
az ad app show --id 11112222-3333-4444-5555-666677778888 \
--query "requiredResourceAccess" -o json
Check whether an enterprise application (service principal) for it exists in the tenant and what has been granted:
az ad sp show --id 11112222-3333-4444-5555-666677778888 \
--query "{name:displayName, id:id}" -o json
az ad app permission list-grants \
--id 11112222-3333-4444-5555-666677778888 -o json
If the grant list is empty (or missing the scope the token needs), consent has not been given. Confirm the tenant’s user-consent policy — if user consent is off, an admin must act:
az rest --method get \
--url "https://graph.microsoft.com/v1.0/policies/authorizationPolicy" \
--query "defaultUserRolePermissions.permissionGrantPoliciesAssigned" -o json
Fixes
Grant admin consent for the app’s configured permissions (requires Privileged Role Administrator / Global Administrator):
az ad app permission admin-consent --id 11112222-3333-4444-5555-666677778888
This creates the tenant-wide consent grant so the app can obtain tokens for its permissions.
Grant a specific Graph permission and then admin-consent, if you are adding one:
# Example: add Directory.Read.All (application permission) then consent
az ad app permission add \
--id 11112222-3333-4444-5555-666677778888 \
--api 00000003-0000-0000-c000-000000000000 \
--api-permissions 7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role
az ad app permission admin-consent --id 11112222-3333-4444-5555-666677778888
Use the admin-consent URL for a multi-tenant app so an admin in the using tenant approves it:
https://login.microsoftonline.com/<tenant-id>/adminconsent?client_id=11112222-3333-4444-5555-666677778888
For delegated scopes where user consent is allowed, an interactive sign-in with the consent prompt lets the user approve; otherwise route it to an admin.
What to watch out for
- Consent is per-permission. Adding a new scope/role after consent requires re-consenting; old consent does not cover new permissions.
- Application permissions always need admin consent. App-only (client-credentials) flows can never be user-consented — an admin must grant.
- Propagation delay. After admin consent, allow a short delay before the token request succeeds.
- Multi-tenant means multi-consent. Each customer tenant must consent independently; consent in your home tenant does not carry over.
Related
- AADSTS700016 / AADSTS50076 — application-not-found and MFA-required sign-in errors from Entra ID.
- AADSTS50105 — the signed-in user is not assigned to a role for the application.
- AADSTS7000215 — invalid client secret for the app’s credential.
Get 500 Battle-Tested DevOps AI Prompts — Free
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.