"AADSTS65001: The user or administrator has not consented to use the application with ID 'Guid'

[mandarsudame]

Hi,

I get this error when I am trying to get a token on behalf of a Web API app. There is no client involved here. So I cannot make an interactive acquire token attempt to setup the delegate consent. I have setup the delegate entry in the portal for my application. How can I fix this? Thanks

[pserranne]

We're experiencing the same issue. Did you manage to resolve this issue?

[michaelmorin]

We are having this issue as well and any help would be greatly appreciated. We started having this problem shortly after we started using DYN365O Update 3. Our code worked for a while then one day in mid-January stopped working. I have taken the code here and shown the following:

1. When pointing to our Update 2 (August Update) DYN365O instance everything works perfectly.
2. Changing the URI to point to Update 3 we begin to see these errors.

I have searched the internet and I have done everything suggested including:

1. Setting oauth2AllowImplicitFlow = true in the manifest for the Azure App.
2. Under permissions for the APP in AAD I have used the Grant Permissions to "grant permissions for all accounts in the directory".
3. Altering the call to AcquireTokenAsync to include "prompt=admin_consent". I am presented with the prompt screen but even after entering the AAD admin userid/password I get the same error. a. Tried other users.
4. Verified that the user in DYN365O (under System Administration >> Users) is identical in both our Update 2 and Update 3 instances.

[mandarsudame]

This is still a pending problem for me. I have no clue on how to fix the delegate consent.

[laneswenka]

Have you tried to delete the AAD App and have it recreated by the global administrator for the tenant? That should give implicit consent to all users from that tenant.

Regards,

---

Lane Swenka MCSEhttps://www.linkedin.com/pub/lane-swenka/17/358/9a8, MVPhttp://mvp.microsoft.com/en-us/mvp/Lane%20Swenka-5001352

CEO & Founder

Immobiliere Global, LLC.

Cell: 319.621.7837

www.immglobal.comhttp://www.immglobal.com/

http://www.immglobal.com/

https://mvp.microsoft.com/en-us/PublicProfile/5001352?fullName=Lane%20Swenka

---

From: mandarsudame notifications@github.com Sent: Monday, January 30, 2017 12:40:46 PM To: Microsoft/Dynamics-AX-Integration Cc: Subscribed Subject: Re: [Microsoft/Dynamics-AX-Integration] "AADSTS65001: The user or administrator has not consented to use the application with ID 'Guid' (#18)

This is still a pending problem for me. I have no clue on how to fix the delegate consent.

- You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/Microsoft/Dynamics-AX-Integration/issues/18#issuecomment-276150913, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AAyg5BrvtXCM_q1crabev9tJvdZXrKEkks5rXi6ugaJpZM4LiEdJ.

[michaelmorin]

Yes, I have created a new App using the AAD global admin in the New portal and the old portal and tested both. Same error.

[pserranne]

Still did not manage to get it to work here either.

While this is probably configured just fine, can anybody shared the clientconfigurationsettings that are being used? I imagine the ActiveDirectoryTenant has been set to "https://login.microsoftonline.com/common"? Are you trying this on a local VM or on an Azure deployed VM (from LCS)?

@laneswenka Is it working on your side? If so can you specify the above and/or any other settings or dependencies you might think of?

[michaelmorin]

This is on an Azure deployed VM (from LCS). The only thing I can think of that might have some effect is that I created the VM using another Global Admin account, not our original Azure Global admin. I would find it odd that it would have an effect but at this point it could be anything. But it did work for about 2 weeks, then this started, so I feel like something changed on Microsoft's end.

[pserranne]

Just to make sure we have also grabbed our Global Admin here and have set it up using his account. Results remain the same. We still get this error as a result. We are also using an Azure deployed VM (from LCS). So this indeed confirms your experience.

Has anybody logged this issue on the Yammer group for D365? I will have a look there and if not log it as an issue and refer to this GitHub topic.

[michaelmorin]

Thanks for doing that. I was on with a Microsoft engineer yesterday and after 1 hour with the code we decided to try connecting via Excel 2016 OData feed. Same thing. So this appears not to be related to the AppIDs as they don't come into play with O365 and DYN365O. This has now been escalated to the Azure admins. I will keep you posted.

[laneswenka]

Hey all,

OData connector in Excel is known to not work with Azure AD authentication:

https://social.technet.microsoft.com/Forums/en-US/2f889c6f-b500-4ba6-bba0-a2a4fee1604f/cannot-authenticate-odata-feed-using-an-organizational-account?forum=powerquery

I'd be happy to hop on a call with someone this week to troubleshoot, we have customers live on AX7 RTW and one that upgraded recently to D365FO and are able to authenticate without issues using custom C# applications as well as middleware such as Dell BOOMI platforms and LogicApps from Microsoft.

Shoot a message to admin@immglobal.com

---

Lane Swenka MCSEhttps://www.linkedin.com/pub/lane-swenka/17/358/9a8, MVPhttp://mvp.microsoft.com/en-us/mvp/Lane%20Swenka-5001352

CEO & Founder

Immobiliere Global, LLC.

Cell: 319.621.7837

www.immglobal.comhttp://www.immglobal.com/

http://www.immglobal.com/

https://mvp.microsoft.com/en-us/PublicProfile/5001352?fullName=Lane%20Swenka

---

From: michaelmorin notifications@github.com Sent: Wednesday, February 1, 2017 7:20:11 AM To: Microsoft/Dynamics-AX-Integration Cc: Lane Swenka; Mention Subject: Re: [Microsoft/Dynamics-AX-Integration] "AADSTS65001: The user or administrator has not consented to use the application with ID 'Guid' (#18)

Thanks for doing that. I was on with a Microsoft engineer yesterday and after 1 hour with the code we decided to try connecting via Excel 2016 OData feed. Same thing. So this appears not to be related to the AppIDs as they don't come into play with O365 and DYN365O. This has now been escalated to the Azure admins. I will keep you posted.

- You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/Microsoft/Dynamics-AX-Integration/issues/18#issuecomment-276655237, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AAyg5EOp8Yadxl-r7gt6AccNfzq4FvJVks5rYIaLgaJpZM4LiEdJ.

[michaelmorin]

That is very kind. I will take you up on your offer. I would love to get this resolved. I will send you an email later today.

[michaelmorin]

Hi, So a few things have happened in the last few days for me. The issue has resolved itself and there are 2 different ways it seems to occur:

1. We spun up a new instance and the new instance does not have the issue. The old instance does. The only thing I changed in my code is the ClientConfiguration.ActiveDirectoryResource and ClientConfiguration.UriString to point to the instance. Seems like instance after February don’t exhibit this problem.

2. The next solution was given to me by a developer friend that happened to have developed apps to integrate with AD and Dynamics. The code below is what he gave me. It opens up a window which you log into and after you have consent. Then running the old code will work. Note you need to have the redirect for the app. It will require "using Microsoft.IdentityModel.Clients.ActiveDirectory;"

       AuthenticationContext context = new AuthenticationContext(ActiveDirectoryTenant, TokenCache.DefaultShared);
   
       AuthenticationResult authenticationResult = context.AcquireTokenAsync(
           ActiveDirectoryResource, //
           ActiveDirectoryClientAppId, // app ID
           ActiveDirectoryClientRedirect, // Redirect URI on the registered app
           new PlatformParameters(PromptBehavior.Auto)
           ).Result;

Hope this helps.