Share via

AVD setup configured with SSO errors at the consent form AADSTS65002

Jonathan Kent 20 Reputation points
2025-06-10T15:14:33.29+00:00

I have just created a VDI infrastructure configured to use SSO and when connecting for the first time using RDWEB I get a consent page. I select 'server app', put in the tenant ID retrieved from Entra and then get the error:

"AADSTS65002: Consent between first party application '9cdead84-a844-4324-93f2-b2e6bb768d07' and first party resource '00000002-0000-0000-c000-000000000000' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: d8a0a565-5e98-4e2d-93de-639e6e45ba00 Correlation ID: 72bf8f64-86bc-4225-afd3-b85ae8920521"

From Enterprise Applications in Entra:
9cdead84-a844-4324-93f2-b2e6bb768d07 is 'Azure Virtual Desktop'

00000002-0000-0000-c000-000000000000 is 'Windows Azure Active Directory'

What am I missing as I have been through the setup a couple of times and get the same error. Thanks in advance for your help.

Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,835 questions
Accepted answer
  1. Arko 4,150 Reputation points Microsoft External Staff Moderator
    2025-06-19T07:02:14.3666667+00:00

    Hello Jonathan Kent,

    Hope you got a chance to review Markapuram Sudheer Reddy's suggestion. Markapuram has provided solid guidance based on the official documentation, which covers the core configuration aspects for enabling SSO in Azure Virtual Desktop. However, there are a few additional inputs from my end that I’d like to add to this post. Please review them once and let us know your findings.

    From the error message you’re encountering specifically AADSTS65002 it appears that the consent prompt you're seeing is attempting to authorize access between two Microsoft-owned (first-party) applications: Azure Virtual Desktop (9cdead84-a844-4324-93f2-b2e6bb768d07) and Windows Azure Active Directory (00000002-0000-0000-c000-000000000000). This type of consent is not intended to be granted manually by end users or tenant admins and must be handled via internal preauthorization within Microsoft’s platform. In other words, attempting to authorize this manually using your tenant ID via the legacy consent page will always result in failure, as this path is not supported.

    The fact that you're seeing the consent screen even before signing into your tenant suggests that the prompt is likely being cached or triggered locally—possibly due to redirection or legacy configuration in the browser. Also, the URL you’re using (https://rdweb.wvd.microsoft.com) points to an older RDWeb endpoint which is generally not used anymore for the modern ARM-based Azure Virtual Desktop experience.

    Instead, I would recommend using the current supported web client endpoint: https://client.wvd.microsoft.com/arm/webclient

    This endpoint uses the modern authentication flow and does not require any manual consent for the server app. If you haven’t already, please try accessing AVD through this URL using an InPrivate or Incognito browser session to rule out cache-related issues.

    Additionally, double-check that there are no conditional access policies or token issuance restrictions blocking access for browser clients. Reviewing the sign-in logs in Entra ID can help confirm this. If you still face issue then please share the full Trace ID and Correlation ID from the AADSTS error to evaluate further. Let us know how it goes after trying these steps. Thanks

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.