Microsoft Teams Error Guide: 'AADSTS65001: The user or administrator has not consented' — Grant Admin Consent
Fix AADSTS65001 in Microsoft Teams apps: grant admin consent for Graph scopes, pre-authorize the Teams client on your API, and repair SSO on-behalf-of tokens.
- #microsoft-teams
- #adaptive-cards
- #troubleshooting
- #errors
Fixing errors like this? Get 500 free DevOps AI prompts
500 copy-paste AI prompts for the stack you actually run — one PDF, free.
Overview
Microsoft Entra ID raises AADSTS65001 when a Teams app, bot, or SSO tab requests a Microsoft Graph permission that has never been consented to by the user or a tenant administrator. The token endpoint refuses to issue an access token until consent exists.
AADSTS65001: The user or administrator has not consented to use the application
with ID '11112222-3333-4444-5555-666677778888' named 'Teams Ops Bot'.
Send an interactive authorization request for this user and resource.
In the on-behalf-of (OBO) flow used by Teams SSO tabs and bots, the same condition surfaces as a invalid_grant with the AADSTS65001 sub-error while exchanging the client-side token for a Graph token.
Symptoms
- SSO in a Teams tab succeeds client-side (
getAuthTokenreturns a token) but the server-side OBO exchange fails with AADSTS65001. - A bot’s
TeamsSSOTokenExchangereturns an error and the sign-in card keeps reappearing. - Graph calls that worked for the app registrant fail for every other user in the tenant.
- The consent prompt never appears because the app requests permissions that require admin consent (e.g.
Group.Read.All,Sites.Read.All). - Works in the developer’s home tenant but fails after the app is installed in a customer tenant.
Common Root Causes
- No admin consent granted — the app requests high-privilege delegated scopes that only a Global Administrator can consent to.
- OBO with un-pre-authorized client — the Teams client app (
1fec8e78-bce4-4aaf-ab1b-5451cc387264for Teams) is not listed as a pre-authorized application on the API’s exposed scope, so the middle-tier token cannot be exchanged silently. - Scope mismatch — the token was requested with a scope the app registration does not list under API permissions.
- User-assignment required — the enterprise application has “User assignment required” on but the user isn’t assigned.
- Wrong endpoint — authenticating against a specific tenant while the app is registered single-tenant elsewhere, or using
/commonfor a single-tenant app.
Diagnostic Workflow
Decode the failing token request. The scope and client_id in the OBO call must match the app registration:
# OBO exchange that returns AADSTS65001
curl -X POST "https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token" \
-d "grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer" \
-d "client_id=${API_APP_ID}" \
-d "client_secret=${API_SECRET}" \
-d "assertion=${CLIENT_SIDE_TOKEN}" \
-d "scope=https://graph.microsoft.com/User.Read https://graph.microsoft.com/Group.Read.All" \
-d "requested_token_use=on_behalf_of"
Inspect the granted permissions with Graph to confirm what consent actually exists:
# What delegated grants exist for this service principal?
az ad app permission list-grants --id "${API_APP_ID}" -o table
# List the OAuth2 permission grants
curl -H "Authorization: Bearer ${GRAPH_ADMIN_TOKEN}" \
"https://graph.microsoft.com/v1.0/oauth2PermissionGrants?\$filter=clientId eq '${SP_OBJECT_ID}'"
Confirm Teams is pre-authorized on your exposed API scope in the manifest (preAuthorizedApplications):
"preAuthorizedApplications": [
{ "appId": "1fec8e78-bce4-4aaf-ab1b-5451cc387264",
"delegatedPermissionIds": ["<your-access_as_user-scope-id>"] },
{ "appId": "5e3ce6c0-2b1f-4285-8d4b-75ee78787346",
"delegatedPermissionIds": ["<your-access_as_user-scope-id>"] }
]
Example Root Cause Analysis
A team shipped a Teams SSO tab that read the user’s profile and their group memberships. In the developer’s tenant it worked because the developer was a Global Admin and had clicked through the consent dialog once. When a pilot customer installed the app, every user hit AADSTS65001 during the OBO exchange.
Two problems compounded. First, Group.Read.All requires admin consent — regular users could never self-consent, and no admin had granted it in the customer tenant. Second, the API app registration was missing the Teams desktop/web client IDs in preAuthorizedApplications, so even User.Read couldn’t be exchanged silently.
The fix was to (1) have the customer’s Global Admin grant tenant-wide admin consent via the admin consent URL, and (2) add both Teams client app IDs to preAuthorizedApplications on the access_as_user scope. After re-consent, the OBO exchange returned Graph tokens for all users.
Prevention Best Practices
- Request the minimum delegated scopes; avoid admin-consent-only permissions unless truly required.
- Add the Teams web and desktop client app IDs to
preAuthorizedApplicationsso SSO tabs can exchange tokens silently. - Ship an admin consent URL with your app for tenant admins:
https://login.microsoftonline.com/{tenant}/adminconsent?client_id={appId}. - Grant admin consent as part of deployment (
az ad app permission admin-consent) rather than relying on per-user prompts. - Handle AADSTS65001 in the bot/tab by returning a consent/sign-in card that triggers the interactive
adminconsentflow. - Keep the app single- vs multi-tenant setting consistent with the authority endpoint you call.
Quick Command Reference
# Grant admin consent for the app (requires admin)
az ad app permission admin-consent --id "${API_APP_ID}"
# Admin consent URL to hand to a tenant admin
echo "https://login.microsoftonline.com/${TENANT_ID}/adminconsent?client_id=${API_APP_ID}"
# List current API permissions on the app
az ad app permission list --id "${API_APP_ID}" -o table
# Show the enterprise app's assignment requirement
az ad sp show --id "${API_APP_ID}" --query "appRoleAssignmentRequired"
Conclusion
AADSTS65001 is a consent problem, not a code bug: the token endpoint has no record that anyone approved the scopes your Teams app is asking for. Confirm which scopes need admin consent, pre-authorize the Teams client apps on your exposed API scope, and grant tenant-wide admin consent at deployment time. Once consent exists and the OBO client is pre-authorized, SSO tabs and bots exchange Graph tokens silently for every user in the tenant.
Get 500 Battle-Tested DevOps AI Prompts — Free
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.