This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 69%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Hi,
I have a SPA and backend applications that both have app registrations in Entra.
For the SPA app registration I have granted Admin Consent for the Microsoft Graph permissions email, openid, profile, offline_access and User.Read as well as the backend app registration's role (api://<app_id>/Default).
The configuration under Enterprise Applications -> Consent and permissions -> User consent settings is 'Do not allow user consent' and users cannot request admin consent to apps they are unable to consent to. This is due to org wide policy.
The SPA as part of user login first makes a request to get an access token via the OAuth authorization_code flow and this succeeds.
However when it tries to use the refresh token supplied from the last request to obtain a further token we get the response:
{"error": "invalid_grant",
"error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID '<app-id>' named '<appname>'. Send an interactive authorization request for this user and resource. ...",
"error_codes": [ 65001 ]
}
We have tried changing all sorts of settings to do with consent or scopes but nothing changes this error.
One thing to note is if we replicate the config using a free trial of Entra with a different account then it works.
What organisation/tenant level settings are there that could cause the error above?
Refresh tokens leverage the offline_access permission, so make sure that has been granted on the app. If the tenant is blocking consent altogether, an admin will need to do this. Or they can "whitelist" the offline_access permission under User consent settings, so that end users can grant it to apps. This is in fact part of the default configuration, which is why your app works as expected in other tenants.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 51%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Hi @jbf
Just checking in to see if above answer was helpful. If you have any further updates on this issue, please feel free to post back.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 63%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Thanks. My colleague Josiah is away this week, but he has come back to say he's already tried that kind of thing. Do you have any other ideas?
Hi @jbf
I understand that you are unable to request Access Token via refresh token grant type. and encountering error code AADSTS65001:" The user or administrator has not consented to use the application".
Try to construct the URL for granting tenant-wide admin consent Navigate to application under Application > API permissions > Grant admin consent.
For more information. Follow the document: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal#construct-the-url-for-granting-tenant-wide-admin-consent
If your app needs user consent, you can construct a consent URL like this:
https://login.microsoftonline.com/{organization}/adminconsent?client_id={client-id}
Hope this helps. Do let us know if you have any further queries.
Thanks,
B. Siri Chandana.
Hi @jbf
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Thanks for this. My colleague Josiah is away this week and he will look into this next week. He'll get back to you then. Cheers.
Hi,
Thank you for your answers.
I think all places where admin consent can be granted it has already been granted. This has been done for offline_access as well as other Microsoft Graph permissions (email, openid, profile, User.Read) Unfortunately the same issue persists.
In the Entra admin centre there are two places I can see where you can grant admin consent:
Is there any difference between granting admin consent in these two locations? Are there any other levels of admin consent we can grant than these two places?
Thanks,
Josiah
Yes, those are different things. On the App registration side, you "define" which permissions your app needs, whereas the actual granting of permissions happens on the customer's side, via the service principal (enterprise application) representing your app. In your case, the customer in question must ensure that the offline_access scope has been consented to for your app.
Thanks for your help, I eventually tracked down the issue which I've described in my answer below.
The problem was caused by a miss naming of the backend application scope in the token request
i.e. the scope was 'api://<app-id>/ScopeName' and the frontend app registration had been incorrectly configured to request a scope that didn't exist 'api://<app-id>/WrongScopeName'.
The reason we only saw the error for the refresh token was because the MSAL library that we were using for the SPA auth only adds the app scope in the refresh grant type request and not the initial token request.
Hello @jbf
I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.
Issue: Unable to request Access Token via refresh_token grant type
"The problem was caused by a miss naming of the backend application scope in the token request"
The reason was you only saw the error for the refresh token was because the MSAL library that we were using for the SPA auth only adds the app scope in the refresh grant type request and not the initial token request.
If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Thanks,
B. Siri Chandana.