Azure AD "AADSTS65001" consent required in CI
Microsoft Entra ID (Azure AD) returned AADSTS65001: the client app has not been granted consent to the permissions it is requesting for this tenant. Without admin consent, the token request is refused.
What this error means
A token acquisition step fails with "AADSTS65001: The user or administrator has not consented to use the application with ID ...". It appears when a CI service principal requests API permissions that were never consented.
AADSTS65001: The user or administrator has not consented to use the application
with ID '11111111-2222-3333-4444-555555555555' named 'ci-deployer'. Send an
interactive authorization request for this user and resource.Common causes
Admin consent was never granted for the app permissions
The application (client) requests API permissions that require tenant admin consent, and that consent has not been recorded.
A new permission added without re-consent
A permission was added to the app registration after the last consent, so the incremental permission is not yet granted.
How to fix it
Grant admin consent for the app
- Open the app registration API permissions in Entra ID.
- Grant admin consent for the tenant so the permissions are recorded.
- Re-run the CI token request; consent applies tenant-wide.
az ad app permission admin-consent --id "$CLIENT_ID"Use application permissions for machine flows
For CI, prefer application permissions with client_credentials, which are consented once by an admin rather than per user.
How to prevent it
- Grant admin consent whenever app permissions change.
- Use application permissions and client_credentials for unattended CI.
- Track required API permissions in the app registration as code.