Error Code AADSTS65001 and AADSTS65006

Mayank Saxena 1 Reputation point Microsoft Employee
2022-10-20T09:58:05.967+00:00

I have an enterprise multitenant application where I have added the scope/permissions for graph. ( eg. Openid, user.read) in msft tenant.

Now I have logged in another tenant and using the the same application I am trying to generate the graph token but call
https://login.microsoftonline.com/common/oauth2/v2.0/token is failing with 400, followed by 403 error in all graph calls

Error after masking some ids--

{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'xxxx' named 'some-name'. Send an interactive authorization request for this user and resource.\r\nTrace ID: xxxxxx\r\nCorrelation ID: rrrrrrr\r\nTimestamp: dddd","error_codes":[65001],"timestamp":"33333","trace_id":"5ffddd","correlation_id":"ddddd","suberror":"consent_required"}

I have tried following link to provide the consent , still it did not work, nothing happening..just pop keep coming when i hit following URL

https://login.microsoftonline.com/<tenantId>/adminconsent?client_id=<clientid>

At last i also tried giving consent using logging the another tenants admin in the same application
Click permission tab
Click grant consent

Following error coming (masking all ids)

"https://portal.azure.com/TokenAuthorize?error=invalid_request&error_description=AADSTS65006%3a+Resource+%xxxx+had+no+entitlements+matching+required+permissions+configured+on+the+required+resource+access+for+client+%xxxx%27.+Requested+permission+IDs%3xxxx.+This+is+a+problem+with+one+or+more+invalid+permission+ids+on+the+client+RRA+configuration+or+the+resource+entitlement+configuration.%0d%0aTrace+ID%3a+xxxx%0aCorrelation+ID%xxxxx%0aTimestamp%3a+xxxx&admin_consent=True"

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,538 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,417 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. HarmeetSingh7172 4,811 Reputation points
    2022-10-20T11:19:14.453+00:00

    Hello @Mayank Saxena

    Thanks for reaching out!

    Based on my research, the error AADSTS65001 usually occurs when you missed granting admin consent to the added scope while retrieving access token.

    To resolve the error, please check whether you exposed the API like below: 

    Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your App -> Expose an API

    After exposing the API, make sure to grant API permissions for it like below: 

    Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your App -> API permissions -> Add a permission -> My APIs -> Your API

    After adding API permissions, make sure to grant admin consent if it is required.

    As you are trying to get access token, please check whether you enabled the below options: 

    Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your App -> Authentication

    Note: Please make sure to add your client application to known client applications list

    Refer these for more details:

    1. https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes#aadsts-error-codes
    2. https://github.com/MicrosoftDocs/azure-docs/issues/33008
    3. https://learn.microsoft.com/en-us/answers/questions/545439/index.html

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.