$_ cmd

← decode · jargon mode

ERROR AADSTS

AADSTS65001

User or admin has not consented to the application

in plain english

The app is asking for permissions that nobody has consented to — usually because the app needs admin consent and only an admin can grant it on behalf of users. Until consent is granted, every sign-in to that app fails with AADSTS65001.

most likely causes

  • App requests delegated permissions that require admin consent (e.g. Directory.Read.All, Group.ReadWrite.All)
  • Tenant has 'Users can consent to apps' set to No, so users can't self-consent even for low-risk scopes
  • App permissions (application-only) requested but never admin-consented
  • Consent was previously revoked from the Enterprise application's Permissions tab

fix path

  1. Open the consent URL with an admin account: https://login.microsoftonline.com/<tenant>/adminconsent?client_id=<app-id>
  2. OR: Entra portal → Enterprise applications → <app> → Security → Permissions → Grant admin consent for <tenant>
  3. If users should self-consent for low-risk scopes: Identity → Enterprise apps → Consent and permissions → User consent settings → 'Allow user consent for apps from verified publishers, for selected permissions'
  4. Confirm the app registration's API permissions match what the app actually requests at runtime — mismatched scopes also surface as 65001

seen in

Entra ID interactive sign-in · Microsoft Graph · Custom app first-run · Power Platform connectors

microsoft learn docs →

related

verified