1

I got the error when trying to get an access key for one of our APIs. "AADSTS65001: The user or administrator has not consented to use the application with ID '{GUID}'

First, I was trying to prompt=consent during login, thinking that I had new consents that weren't prompted during login. And I got the following error. "AADSTS65005: The application '{GUID}' asked for permissions to access a resource that has been removed or is no longer available. Contact the app vendor." I removed prompt=consent and started fiddling with the permissions in Azure, and now I was stuck on the same error.

I changed everything as it was, but I still get the error. However, this only happens to my user. Everyone else can still log in without problems.

So my problem is actually in two parts:

  1. The first error when trying to get an access token for the API. Somehow I need to prompt the user with consent, but I am using adal.js which uses a silent retrieval of the keys using an invisible iframe. I want the support to be when the user logs into the web app. Is this possible?

  2. My user can't log in to our web app anymore. Everyone else can. Did anyone encounter this before?

The product is a SPA Web App written in React, and we use adal.js (adal-vanilla) as a library for authentication to Azure AD.

Update I finally got some stuff working. Not all the way, but at least it's a start.

  1. The problem with this is that users registered on other tenants (this is a multi-tenant app) don't get consent to use the API. These users get the error. However, I registered a user on the same tenant, and everything worked as intended.
  2. Problem two was solved by removing all the permissions, adding them one by one, and testing in between. Somehow this worked after two-three tries.

The problem is that users from other tenants don't get a consent prompt to access the API.

Fralle
  • 889
  • 6
  • 12

2 Answers2

1

Somehow the issue got fixed, I'm not 100% sure how or why but here are the steps I performed to fix it if someone finds themselves in a similar situation:

  1. Ensure that all permissions are correct (APIs are added as delegated permissions to the client)
  2. All services (web app & apis) are multitenant
  3. Update manifest with:

  "availableToOtherTenants": true,
  "knownClientApplications": [
    "{client app application id}"
  ],
(availableToOtherTenants was false for the API even though it was marked as multitenant in the settings)
Fralle
  • 889
  • 6
  • 12
0

The consent might be possible to fix with prompt=admin_consent.

As for the second problem, you can add your web app as a known client application of the API. This will allow simultaneous consent when the user authenticates to the web app.

To do that, find the API app registration in Azure Portal's Azure AD blade. Then open its manifest (there is a Manifest button on the app blade). In there should be a "knownClientApplications" property. Add the client id of the web app in the array and save the manifest.

E.g.:

"knownClientApplications": [
  "bda6ffff-ffff-ffff-ffff-ffff8bf8c57f"
],
juunas
  • 54,244
  • 13
  • 113
  • 149
  • Manifest seemed to fix it, atleast for new users, access token got fetched and the api call went through with 200-response. However when I tried logging out and login again with the same user. This prompted the error message when fetching access token: "AADSTS65001: The user or administrator has not consented to use the application with ID '{GUID}'. Send an interactive authorization request for this user and resource." – Fralle Jun 22 '17 at 08:16
  • If you try going through with prompt=consent again, it should prompt for consent for the API as well. – juunas Jun 22 '17 at 08:17
  • I added prompt=consent and I got: "AADSTS65005: The application '{GUID} asked for permissions to access a resource that has been removed or is no longer available. Contact the app vendor." When trying to login. – Fralle Jun 22 '17 at 08:19
  • Hmm, it sounds like then that the app with that GUID is requesting permissions for something it shouldn't. Could you double-check the required permissions for both the Web App and API? And maybe could you add screenshots to the question of the required permissions? – juunas Jun 22 '17 at 08:20
  • Well, I doubt Azure AD Graph API is the one causing the error. Have you perhaps re-created the InvoiceRegistry app at some point or modified the permissions it offers? You can check in the Web App's manifest what permissions it requires very specifically. Check that those match with the API. – juunas Jun 22 '17 at 08:29
  • Not sure what I should be looking for. Is it requiredResourceAccess? Updated question with screenshots of manifests. – Fralle Jun 22 '17 at 08:50
  • 1
    Possible reason for error. Adal.js, has no consent on `login()` calls as they don't request access to any resource. As such, the lack of consent in a multi-tenant case results in the service principal not being created in the new user's tenant. I'm not certain, so you should test this. Look into the new user's tenant and see if there's a service principal inside for your app. If not, then try [provisioning the service principal with powershell](https://learn.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0) and see if the error goes away. – Daniel Dobalian Jun 23 '17 at 01:00