Skip to content
Latchkey

Azure AD "AADSTS65001" consent required in CI

Microsoft Entra ID (Azure AD) returned AADSTS65001: the client app has not been granted consent to the permissions it is requesting for this tenant. Without admin consent, the token request is refused.

What this error means

A token acquisition step fails with "AADSTS65001: The user or administrator has not consented to use the application with ID ...". It appears when a CI service principal requests API permissions that were never consented.

Entra ID
AADSTS65001: The user or administrator has not consented to use the application
with ID '11111111-2222-3333-4444-555555555555' named 'ci-deployer'. Send an
interactive authorization request for this user and resource.

Common causes

Admin consent was never granted for the app permissions

The application (client) requests API permissions that require tenant admin consent, and that consent has not been recorded.

A new permission added without re-consent

A permission was added to the app registration after the last consent, so the incremental permission is not yet granted.

How to fix it

Grant admin consent for the app

  1. Open the app registration API permissions in Entra ID.
  2. Grant admin consent for the tenant so the permissions are recorded.
  3. Re-run the CI token request; consent applies tenant-wide.
Terminal
az ad app permission admin-consent --id "$CLIENT_ID"

Use application permissions for machine flows

For CI, prefer application permissions with client_credentials, which are consented once by an admin rather than per user.

How to prevent it

  • Grant admin consent whenever app permissions change.
  • Use application permissions and client_credentials for unattended CI.
  • Track required API permissions in the app registration as code.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →