ERROR AADSTS
AADSTS65001
User or admin has not consented to the application
in plain english
The app is asking for permissions that nobody has consented to — usually because the app needs admin consent and only an admin can grant it on behalf of users. Until consent is granted, every sign-in to that app fails with AADSTS65001.
most likely causes
- App requests delegated permissions that require admin consent (e.g. Directory.Read.All, Group.ReadWrite.All)
- Tenant has 'Users can consent to apps' set to No, so users can't self-consent even for low-risk scopes
- App permissions (application-only) requested but never admin-consented
- Consent was previously revoked from the Enterprise application's Permissions tab
fix path
- Open the consent URL with an admin account: https://login.microsoftonline.com/<tenant>/adminconsent?client_id=<app-id>
- OR: Entra portal → Enterprise applications → <app> → Security → Permissions → Grant admin consent for <tenant>
- If users should self-consent for low-risk scopes: Identity → Enterprise apps → Consent and permissions → User consent settings → 'Allow user consent for apps from verified publishers, for selected permissions'
- Confirm the app registration's API permissions match what the app actually requests at runtime — mismatched scopes also surface as 65001
seen in
Entra ID interactive sign-in · Microsoft Graph · Custom app first-run · Power Platform connectors
related
verified