Skip to content

Azure Ad access token error #10933

Description

@chandiraguru-technorucs

Unable to acquire access token for custom API using Application ID URI (api://) in customer tenant – AADSTS65001 (consent_required)
Environment
• SPFx solution
• Backend API protected by Microsoft Entra ID
• Single-tenant solution deployed to different customer tenants
Architecture
We have registered a Microsoft Entra application for our backend API.
The backend exposes an Application ID URI in the following format:
api://
From the SPFx web part we acquire an access token using:
const token = await this.context.aadTokenProviderFactory
    .getTokenProvider()
    .then(provider => provider.getToken("api://"));
The acquired token is then sent to our backend API for authentication.
This flow works correctly in our own tenant.
Problem
When the same solution is deployed to a customer's tenant, token acquisition fails.
The error returned is:
{
  "error": "invalid_grant",
  "error_codes": [65001],
  "error_description": "AADSTS65001: The user or administrator has not consented to use the application 'SharePoint Online Web Client Extensibility'. Send an interactive authorization request for this user and resource.",
  "suberror": "consent_required"
}
What we have already verified
• The backend app registration is configured as single-tenant.
• The Application ID URI is api://.
• The SPFx package is deployed successfully.
• The required API permission appears to have been approved by the customer administrator.
• Authentication works correctly in our development tenant.
• The issue only occurs in certain customer tenants.
Additional Observation
In the affected customer tenant, we expected to see the permission request in the SharePoint Admin Center under API Access (Pending requests / Approved requests). However, the permission either does not appear there or appears to have been approved, yet token acquisition still fails with AADSTS65001.
Questions

  1. Is using an Application ID URI (api://) with AadTokenProvider.getToken() the recommended approach for a multi-tenant SPFx solution?
  2. Does AADSTS65001 in this scenario indicate missing Microsoft Entra consent rather than SharePoint API approval?
  3. Is there any additional tenant configuration or admin consent required besides approving the API in SharePoint Admin Center?
  4. Has anyone experienced this issue where the permission appears to be approved but getToken() still returns consent_required?
    Any guidance would be greatly appreciated.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions