We are trying to call a web api hosted in azure app service from SPFX react webpart using aadhttpclientfactory.
We are receiving the below error.
Error: Error - Type : interaction_required - Description : AADSTS65001: The user or administrator has not consented to use the application with ID <> named 'SharePoint Online Client Extensibility Web Application Principal'. Send an interactive authorization request for this user and resource.
Please suggest the process to resolve the above issue.
Thanks in advance.
You need to consent to use the application. Go to azure portal->Azure Active Directory->App registrations->find your application->Api permissions->click Grant admin consent button(remember to login with the admin account)
If the permissions does't require admin consent, you can also use individual user consent which doesn't need admin permission.
Related
I am trying to access my web api written in .Net Core from a ReactJs client application. I have registered both the application in Azure AD and given Admin Consent to the Web API in ReactJs API Permission section. Even after configuring this I am getting invalid_grant: AADSTS65001: The user or administrator has not consented to use the application
Can any please help me regarding this please. How should I connect to the web api.
To resolve the error "invalid_grant: AADSTS65001: The user or administrator has not consented to use the application", try the following:
Make sure to have Global admin role and grant admin consent for the below API permissions of your application:
Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your app -> API permissions -> Add permissions
After granting admin consent, please check whether the status turned green or not.
Make sure whether the below options are checked or not in your authentication tab like below:
If still the issue persists, make use of below document if helpful:
4 ways to fix error AADSTS65001 (issues with Admin Consent!) - #SharePointProblems / Koskila.net
I have a Azure Active Directory application and I have provided some of the user delegated permissions for accessing Graph APIs. For example 'user.read' and 'user.read.all' etc.
To provide User Consent for the Graph APIs which have Delegated permission. I need to login using my credentials to the test application (I developed) and then there will be a Popup displayed on the Web UI with title "Permissions requested" to grand the consent. I need to select Accept button to grand the consent.
My questions:
Is there a way we can preauthorize the user consent without following Web UI flow?
Just like the admin consent in Active Directory, is there a way to grant user consent?
Yes, it is possible through MS Graph API.
When you grant user consent, an OAuth2PermissionGrant object is created.
Admin consent also creates one but in that one the principal is set to be "all users".
You can also create these programmatically.
You can see the docs for the API endpoint here.
It is created under the service principal of your app and you specify consentType as "Principal" and principalId as the user's objectId.
I think you may try to hit this url and signed in with the admin account, then you may consent on behalf of your organization. This url is used to get auth code for using auth code flow(generate access token)
https://login.microsoftonline.com/hanxia.onmicrosoft.com/oauth2/v2.0/authorize?
client_id=your_azure_ad_app_clientid
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost:8080%2F
&response_mode=query
&scope=user.read
&state=12345
I have a web app (React app) which can authenticate the user.
The problem is that i'm seeing an AAD error:
invalid_grant: AADSTS65001: The user or administrator has not consented to use the application with ID "My app client ID". Send an interactive authorization request for this user and resource.
Now, under Azure AAD --> App Registrations --> API Permissions, I am seeing the following permission (which is what im trying to use). But I noticed that the status of the permission does NOT say it has been granted.
Question:
Is this the reason/culprit for this error i am seeing?
Yes, that's the most common reason for this error which you are seeing.
So I have registered a new multi-tenant AAD application but trying to log in using the same account I created it with gives me the error
MSAL.Desktop.4.5.0.0.MsalServiceException:
ErrorCode: invalid_client
Microsoft.Identity.Client.MsalServiceException:
AADSTS650051: "Using application 'TestApplication' is currently not supported for your organization sample-company.ch because it is in an unmanaged state. An administrator needs to claim ownership of the company by DNS validation of sample-company.ch before the application TestApplication can be provisioned."
The domain name in question is already verified, so im not sure whats wrong here. After registering the app I just followed their Windows Desktop App Quickstart Guide and tried logging in with their sample project
https://github.com/Azure-Samples/active-directory-dotnet-desktop-msgraph-v2/
Any help would be appreciated
Since your application is for multi-tenant, you probably didn't do user or admin consent for the target tenant.
Try to add &prompt=admin_consent in your request to force admin consent. Log in with an admin account to do admin consent.
Please see details from Understand user and admin consent.
We've been using Azure Active Directory and EWS SOAP web services successfully.
Trying to see if we can use our current authentication method to be able to also invoke Microsoft Graph (i.e. https://graph.microsoft.com/v1.0/me/)
I went into Azure and added Microsoft Graph under App Registrations -> Settings -> Required Permissions.
This was our authorize endpoint url:
https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Foutlook.office365.com%2F
I changed it to :
https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Fgraph.microsoft.com
Is this all I had to do? When I try to go through the oAuth 2.0 flow, the authorize request seems successful, then I'm asked to enter my credentials, and then I get an error:
"Misconfigured application. This could be due to one of the
following: The client has not listed any permissions for 'Microsoft
Graph' in the requested permissions in the client's application
registration. Or, The admin has not consented in the tenant. Or, Check
the application identifier in the request to ensure it matches the
configured client application identifier. Please contact your admin to
fix the configuration or consent on behalf of the tenant. Client app
ID: b1313958-.... "
I went into Azure and added Microsoft Graph under App Registrations ->
Settings -> Required Permissions.
You mentioned this as part of your question. Please check if after performing these steps for your App Registration in Azure AD, did you click on the “Grant Permissions” button to provide consent or not.
Looking at the error it seems Consent for Microsoft Graph related permissions isn’t done yet.