AADSTS65001: The user or administrator has not consented to use the application with ID

%3CLINGO-SUB%20id%3D%22lingo-sub-2357422%22%20slang%3D%22en-US%22%3EAADSTS65001%3A%20The%20user%20or%20administrator%20has%20not%20consented%20to%20use%20the%20application%20with%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2357422%22%20slang%3D%22en-US%22%3E%3CP%3ETrying%20to%20create%20a%20simple%20SPA%20and%20call%20a%20Rest%20API%20in%20Azure%2C%20and%20I%20am%20getting%20InteractionRequiredAuthError%3A%20AADSTS65001%3A%20The%20user%20or%20administrator%20has%20not%20consented%20to%20use%20the%20application%20with%20ID%20'xxx'%20named%20'MySpaApp'.%20Send%20an%20interactive%20authorization%20request%20for%20this%20user%20and%20resource.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3ERegistered%20the%20REST%20Api%20application%3C%2FLI%3E%3CLI%3EAdded%20permission%20for%20MyRestApi.Tasks.Get%2C%20its%20status%20is%20Granted%20for%20my%20users%3C%2FLI%3E%3CLI%3EAdded%20a%20scope%20for%20Tasks.Get%3C%2FLI%3E%3CLI%3EAdded%20a%20client%20application%20using%20the%20SPA%20application's%20Client%20Id%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3ERegistered%20the%20SPA%20application%3C%2FLI%3E%3CLI%3EURI%20is%20%3CA%20href%3D%22http%3A%2F%2Flocalhost%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttp%3A%2F%2Flocalhost%3C%2FA%3E%3C%2FLI%3E%3CLI%3EImplicit%20grant%20and%20hybrid%20flows%3A%3C%2FLI%3E%3CLI%3E--Access%20tokens%20checked%3C%2FLI%3E%3CLI%3E--ID%20tokens%20checked%3C%2FLI%3E%3CLI%3E--Supported%20account%20types%3A%20any%20organizational%20directory%3C%2FLI%3E%3CLI%3E--API%20Permissions%2C%20added%20MyRestApi.Tasks.Get%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EIn%20Enterprise%20Applications%2C%20MySpaApp%2C%20clicked%20Grant%20Admin%20Consent%20for%20my%20users%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EWent%20back%20to%20MySpaApp%2C%20and%20verified%20that%20Tasks.Get%20has%20been%20granted%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EFrom%20MySpaApp%2C%20if%20I%20call%20msal.acquireTokenSilent%20with%20%22Tasks.Get%22%20for%20scope%2C%20I%20get%3A%20The%20user%20or%20administrator%20has%20not%20consented%20to%20use%20the%20application%20with%20ID%20'xxx'%20named%20'MySpApp'.%20Send%20an%20interactive%20authorization%20request%20for%20this%20user%20and%20resource.%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EIf%20I%20call%20call%20msal.acquireTokenSilent%20with%20%22User.Read%22%20for%20scope%2C%20I%20get%20back%20a%20token.%3C%2FLI%3E%3C%2FUL%3E%3CP%3EAny%20further%20ideas%20on%20troubleshooting%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2357422%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2359007%22%20slang%3D%22en-US%22%3ERe%3A%20AADSTS65001%3A%20The%20user%20or%20administrator%20has%20not%20consented%20to%20use%20the%20application%20with%20ID%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2359007%22%20slang%3D%22en-US%22%3EThis%20is%20resolved.%20For%20client%20I%E2%80%99d%2C%20I%20used%20the%20app%20id%20for%20the%20Rest%20Api%2C%20rather%20than%20the%20app%20id%20for%20the%20SPA.%3C%2FLINGO-BODY%3E
New Contributor

Trying to create a simple SPA and call a Rest API in Azure, and I am getting InteractionRequiredAuthError: AADSTS65001: The user or administrator has not consented to use the application with ID 'xxx' named 'MySpaApp'. Send an interactive authorization request for this user and resource.

 

Did the following:

 

  • Registered the REST Api application
  • Added permission for MyRestApi.Tasks.Get, its status is Granted for my users
  • Added a scope for Tasks.Get
  • Added a client application using the SPA application's Client Id

 

  • Registered the SPA application
  • URI is http://localhost
  • Implicit grant and hybrid flows:
  • --Access tokens checked
  • --ID tokens checked
  • --Supported account types: any organizational directory
  • --API Permissions, added MyRestApi.Tasks.Get

 

  • In Enterprise Applications, MySpaApp, clicked Grant Admin Consent for my users

 

  • Went back to MySpaApp, and verified that Tasks.Get has been granted

 

  • From MySpaApp, if I call msal.acquireTokenSilent with "Tasks.Get" for scope, I get: The user or administrator has not consented to use the application with ID 'xxx' named 'MySpApp'. Send an interactive authorization request for this user and resource.

 

  • If I call call msal.acquireTokenSilent with "User.Read" for scope, I get back a token.

Any further ideas on troubleshooting?

1 Reply

This is resolved. In the msal request, for client id, I used the app id for the Rest Api, rather than the app id for the SPA.