User getting prompted for credentials for every application using SSO

Question

I have a user who is constantly prompted for credentials when signing into applications with SSO (that no one else has issues signing into).

Here's the error: "Error: 0xCAA5001C Token broker operation failed.

Operation name: GetTokenSilently, Error: -895352830 (0xcaa20002), Description: AADSTS65002: Consent between first party application 'e9c51622-460d-4d3d-952d-966a5b1da34c' and first party resource 'f2d19332-a09d-48c8-a53b-c49ae5502dfc' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API."

The first GUID above, "e9c51622-460d-4d3d-952d-966a5b1da34c" is MICROSOFT EDGE. I have tried cleaning the image with DISM, scanned with SFC at least a dozen times. Left and rejoined to Entra numerous times. Aside from wiping and reloading this PC, not sure what else to try. TIA!

Answer 1

Hi @SyrinxTemple

Thank you for posting this in Microsoft Q&A.

I understand that a user is repeatedly prompted for credentials when signing into applications with Single Sign-On, a problem that others do not encounter, and the user received the error: "Error: 0xCAA5001C Token broker operation failed."

Could you provide more details about the issue, such as the types of applications the user is attempting to access? Are they encountering the same error across all applications or just one? Have they tried accessing them in different browsers?

Meanwhile you can try the following solutions to fix the error:

1. After you log on to a Windows 10-based computer, you try to access Microsoft edge for Business. However, Microsoft Entra authentication fails, and some events are logged in the Microsoft-Windows-AAD/Operational log. Enable the registry key in device

Please refer to the documentation to enable the registry key.: https://learn.microsoft.com/en-us/troubleshoot/windows-client/user-profiles-and-logon/event-1098-error-0xcaa5001c

2.You can’t modify permissions for first party applications. When attempting to modify permissions for first-party applications, it throws Error AADSTS65002.

First party application for example, in the error above is the first GUID i.e. ''e9c51622-460d-4d3d-952d-966a5b1da34c' must follow a special internal process to get additional permissions consented in order to access a first party application resource "f2d19332-a09d-48c8-a53b-c49ae5502dfc". To remediate this, ensure that the requested permissions/scopes have been preauthorized or approved by the resource owner. Has the user granted permissions to the first-party applications? Designate privileged scopes to require admin consent; this measure ensures that admins can safeguard critical data against malicious applications.

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 2

The error happens when someone tries to use an App ID that belongs to Microsoft. This isn't allowed because it could let them pretend to be a Microsoft app when calling APIs.

To solve:

1. Register a new app ID in Azure portal:
   • Go to Azure Active Directory > App registrations > New registration
   • Enter app name, select account types, and set redirect URI
   • Click Register
2. Update application code:
   • Replace old app ID with new one in code
3. Configure API access for new app ID:
   • In Azure portal, go to API management
   • Select target API > Access control (IAM)
   • Add role assignment for new app ID
4. Test application:
   • Run app and verify it can access required APIs without errors

See:

https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Abiola