Microsoft Entra ID CIAM – AADSTS65001: User or admin has not consented (Native Authentication)
I'm working with the new Microsoft Entra ID CIAM solution to implement native authentication in a React Native app using the Authentication API.
This is my first time using Entra ID and the new CIAM solution, so I'm still wrapping my head around some of the configuration.
Problem
When trying to obtain a token (via POST /{tenant}/oauth2/v2.0/token) using grant_type=password (using postman), I receive the following error:
"error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID '{Guid here}' named '{App name here}'. Send an interactive authorization request for this user and resource.
What I’ve Tried
- The whole sign-up & sign-in flow in postman
- correctly setting up the userflow and adding the correct mobile app to it
- Giving admin consent in the api permissions tab (even tho, without manually adding the microsoft graph openid that wont work either)
- I've tried this example but when i access consent and permissions in the enterprise app section i get: "This feature is unavailable"
My Doubts
According to the documentation and several posts I've read, the scopes openid, profile, email, and offline_access are default scopes and do not need to be explicitly added via the portal. But in my case, without manually adding and consenting to these, I keep getting the AADSTS65001 error. Also the permissions table shows they dont need admin consent but without it I keep getting "AADSTS65001" error.
Question
Is manually adding these Microsoft Graph default scopes and granting admin consent the correct and intended approach when using Entra ID CIAM with native authentication? Or is there a misconfiguration in my app registration or user flow setup that’s causing this error?
Any guidance or clarification from someone familiar with the new Entra ID CIAM setup would be appreciated.
You need to add the scopes your application requires to the application registration. Based on what you wrote, it seems like you're configured correctly. This, however, does not grant any permissions, it is only configuring which permissions your application will request.
Granting permissions "consent". There are two types of consent, User and Admin. For low-risk scopes like User.Read, you only need User consent (this is the popup you see when first accessing an application). Scopes that represent a higher security risk, however, require both User and Admin consent.
For scopes that require Admin Consent, a user with Administrator access must provide consent first. If that doesn't happen, you'll get the AADSTS65001 error you're seeing.
There are a couple of ways to grant consent, but the simplest is to have an Admin go to the application registration and "Grant admin consent for {tenant name}":
This get a bit more complext when you are registering a multi-tenant application, but it doesn't sound like this applies to your situation.
- Re-send dead letter message in Azure Bus
- How to do random sampling of rows in Synapse Analytics serverless SQL pool?
- How to skip admin approval for external users in an Entra ID multi-tenant application
- Bicep How to use external file to be used in Deployment Script?
- Insufficient Privileges error when retrieving AD User's Entra ID from Microsoft Graph API using email address
- What is the correct way to set a cookie expiration when using Azure AD to login users to an ASP.NET Core 5 Web Application?
- How can I Parse Json in a Azure Function
- Alchemy Websockets: Can't host server on Azure
- How to connect secrets value stored in Azure key vault to Azure app service env variables directly
- I need to use some query results in an alert email notification in Azure ApplicationInsights
- Azure DevOps Pull work items in tree level in Excel
- Azure Event Hubs to share specific partitions with specific consumer groups
- Azure AD B2C vs Microsoft Entra External ID
- How to query OAuth2 permission grants for service principals in Entra ID using Microsoft Graph PowerShell
- How to get the app role's value given an app role ID in Entra ID using Microsoft Graph Powershell?
- How to list all directory extension definitions within an Entra ID tenant?
- How to get error message from action in Logic App
- How do I enable my Azure pipeline to checkout a submodule using Git?
- Azure Mobile App using existing database that has identity column not called id
- Devops self hosted agent - submodule checkout SSH host key verification failed
- How can I read a XML file Azure Databricks Spark
- Azure Command-Line Interface (CLI) error running .NET 8 console app
- Azure windows VM extensions are provisioning failed state VM agent is "Ready" but Backup failed at VM running State GuestAgentSnapshotTaskStatusError
- Android scheme not accepted by IOS when submitting react-native app through Expo EAS
- Azure PowerShell command to list all Azure VM SKU Sizes enabled for Confidential Computing Azure ACC
- Access Azure DevOps Artifact Feed from different organization
- Duplicate record handling with Azure Data Explorer
- File upload fails with 413 Request Entity Too Large in Azure app service but not while running locally
- Azure Tables: best practices for choosing partition/row keys
- Access Denied when accessing Azure Key vault from Azure Functions