{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 趁早两清 的问题《The user or administrator has not consented to use》','https://www.manongdao.com/q-202146.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
We're doing this CRM Web API project. The project logs-into Dynamics CRM online instance and gets the list of accounts.
The login seems to be happening fine. However, the accounts listing is giving the below error:
AADSTS65001: The user or administrator has not consented to use the application with ID 'xxxx-xxxxx-xxxx-xxx'. Send an interactive authorization request for this user and resource. Trace ID: e3b360d6-39fb-4e61-87d9-26531f30fd7b Correlation ID: 9b2cff0c-074e-44fe-a169-77c8061a7312 Timestamp: 2016-10-18 10:12:49Z
The permissions are properly set:
What is the problem?
For me, this error occurred all of a sudden and that too for few users only.
My setup was, SPA app trying to access API. I deleted the API permission from SPA app registration and added it again. It worked.
I was getting this error in a native application using ADAL. I had given all of the correct permissions, but had already received a token from a previous signin. My issue was that the previous token was stale and did not contain the updated claims. For me, the solution was to use PromptBehavior.RefreshSession as per the code below.
As per MSDN, PromptBehavior.RefreshSession "Re-authorizes (through displaying webview) the resource usage, making sure that the resulting access token contains updated claims. If user logon cookies are available, the user will not be asked for credentials again and the logon dialog will dismiss automatically."
Give ALL permissions. You'll find multiple drop-downs (like the one you're showing in the screenshot).
Each drop down item will have multiple checkboxes referring to different credentials. Check each and you're okey.
An admin must consent to the permissions. You should make an authorization request to Azure AD that includes the parameter
prompt=admin_consent.As in the documentation here, the prompt parameter can have 3 values: login, consent, or admin_consent.
So, you should go to a URL such as https://login.microsoftonline.com/tenant-id/oauth2/authorize?client_id=app-client-id&redirect_uri=encoded-reply-url&response_type=code&prompt=admin_consent.
Replace tenant-id with your Azure AD tenant id/domain name, or common if your app is multi-tenant. Replace app-client-id with your app's client id. Replace encoded-reply-url with a URL-encoded reply URL of your app.
An easier way of constructing the URL you need is to go through authentication and just grab the URL in the address bar when you hit Azure AD. Then just add
&prompt=admin_consentto the URL.EDIT: With the newest update to the Azure Portal came the ability to grant permissions from the portal directly.
If you go to Azure Active Directory in the new portal, find your app registration there and click Grant Permissions under the Required permissions blade.