AADSTS65001 Error: Dynamics 365 OData access issue after 60min / token refresh

My web app (ConfidentialClientAplication) performs some background tasks for my users:

1. Poll E-Mail inbox for new mails and import them - using the Microsoft Graph API (using Mail.ReadWrite)
2. Poll Dynamics 365 Finance and Operations data for new/deleted/changed data - using the OData endpoints, for example $DYN365_BASE_URL/data/Companies (using Connector.FullAccess)

For reference here is a screenshot of the permissions the app is using:

(Figure 1: App registration permissions)

--

In my webb app the user clicks a button to connect their MS365 tenant with my app, requesting the required permissions using the authorization code flow:

(Figure 2: Consent Screen)

I now have an access_token and also a refresh_token (using MSAL for Java). I can now successfully:

• Read the E-Mails
• Read the Dynamics 365 OData

So far, so good.

--

Now, after 60minutes my access_token is expired and I need to get a new one using the refresh_token. So, I do that.

Using the new access_token I can

• Still successfully read the E-Mails
• However trying to read the Dynamics 365 OData, I get an Exception: AADSTS65001: The user or administrator has not consented to use the application.

--

• Why?
• What I can change, to maintain access to the Dynamics 365 OData after 60min?

We found a rather simple solution: we needed to also add the Odata.FullAccess permission in the Azure portal.

Using the following set of permissions the code worked fine without any further modifications:

We also experimented with using less permissions. But it looks like all of the permissions are required for our use case.