|
| 1 | +--- |
| 2 | +title: Error AADSTS650056 - The client has not listed any permissions for AAD Graph in Entra ID app |
| 3 | +description: Provides solutions for the AADSTS650056 misconfiguration error. |
| 4 | +ms.date: 05/19/2025 |
| 5 | +ms.reviewer: willfid |
| 6 | +ms.service: entra-id |
| 7 | +ms.custom: sap:Issues Signing In to Applications |
| 8 | +--- |
| 9 | + |
| 10 | +# Error AADSTS650056 - The client has not listed any permissions for AAD Graph |
| 11 | + |
| 12 | +This article provides troubleshooting steps and solutions for the error message AADSTS650056: Misconfigured application. |
| 13 | + |
| 14 | +## Symptoms |
| 15 | + |
| 16 | +When you try to sign in to a web application that uses Microsoft Entra ID, you might encounter the following error message (or a similar message): |
| 17 | + |
| 18 | +> AADSTS650056: Misconfigured application. This could be due to one of the following: The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client’s application registration. Or, The admin has not consented in the tenant. Or, Check the application identifier in the request to ensure it matches the configured client application identifier. Please contact your admin to fix the configuration or consent on behalf of the tenant. |
| 19 | +
|
| 20 | +## Cause |
| 21 | + |
| 22 | +This error usually occurs due to one of the following reasons: |
| 23 | + |
| 24 | +- The application does not have the required permissions to call Microsoft Graph APIs. |
| 25 | +- The admin has not consented to the permissions for the application on behalf of the tenant. |
| 26 | +- The application identifier specified in the request does not match the registered application identifier in Microsoft Entra ID. |
| 27 | + |
| 28 | +## Solution 1: Verify application permissions and consent |
| 29 | + |
| 30 | +If your organization owns the application, follow these steps: |
| 31 | + |
| 32 | +1. Sign in to the [Azure portal](https://portal.azure.com), go to the **App registrations**, select your app registration, and then select **API permissions**. |
| 33 | +2. Make sure that the application has at least the **User.Read** delegated permission from **Microsoft Graph**. |
| 34 | +3. Check the **Status** to verify whether the permissions are consented to. For example: |
| 35 | + - If the permission is not consented to, it will appear as **Pending** or blank. |
| 36 | + - If successfully consented, it will appear as "Granted for [Tenant Name]". |
| 37 | + |
| 38 | + Example of a consented permission: |
| 39 | + |
| 40 | + :::image type="content" source="./media/error-code-aadsts650056-misconfigured-app-graph/graph-api-permissions.png" alt-text="Screenshot of adding Graph API permissions." ::: |
| 41 | + |
| 42 | +If your organization is not the application owner, follow these steps: |
| 43 | + |
| 44 | +1. Sign in to the application by using Global Administrator account. You should see a consent screen prompting you to grant permissions. Ensure you check the box for **"Consent on behalf of your organization"** before proceeding. |
| 45 | + |
| 46 | + Example of the consent screen: |
| 47 | +:::image type="content" source="./media/error-code-aadsts650056-misconfigured-app-graph/consent-permissions.png" alt-text="Screenshot of consent screen" ::: |
| 48 | +2. If you do not see the consent screen, delete the application from the **Enterprise applications** section in Microsoft Entra ID and try signing in again. |
| 49 | + |
| 50 | +If the error persists, proceed to the next solution. |
| 51 | + |
| 52 | +## Solution 2: Manually build the consent URL |
| 53 | + |
| 54 | +If the application is designed to access a specific resource, you may not be able to use the **Consent** button from the Azure portal, you may need to manually generate a consent URL, and open the URL to grant permissions to the application. |
| 55 | + |
| 56 | +### For the authorization V1 endpoint: |
| 57 | + |
| 58 | +The consent URL will look like this: |
| 59 | + |
| 60 | +```HTTP |
| 61 | +https://login.microsoftonline.com/{Tenant-Id}/oauth2/authorize?response\_type=code |
| 62 | +&client\_id={App-Id} |
| 63 | +&resource={App-Uri-Id} |
| 64 | +&scope=openid |
| 65 | +&prompt=consent |
| 66 | +``` |
| 67 | + |
| 68 | +For example: |
| 69 | + |
| 70 | +```HTTP |
| 71 | +https://login.microsoftonline.com/contoso.onmicrosoft.com/oauth2/authorize |
| 72 | +?response\_type=code |
| 73 | +&client\_id=044abcc4-914c-4444-9c3f-48cc3140b6b4 |
| 74 | +&resource=https://vault.azure.net/ |
| 75 | +&scope=openid |
| 76 | +&prompt=consent |
| 77 | +``` |
| 78 | +### For the authorization V2 endpoint: |
| 79 | + |
| 80 | +The consent URL will look like this: |
| 81 | + |
| 82 | +```HTTP |
| 83 | +https://login.microsoftonline.com/{Tenant-Id}/oauth2/v2.0/authorize |
| 84 | +?response_type=code |
| 85 | +&client_id={App-Id} |
| 86 | +&scope=openid+{App-Uri-Id}/{Scope-Name} |
| 87 | +&prompt=consent |
| 88 | +``` |
| 89 | + |
| 90 | +For example: |
| 91 | + |
| 92 | +```HTTP |
| 93 | +https://login.microsoftonline.com/contoso.onmicrosoft.com/oauth2/v2.0/authorize |
| 94 | +?response_type=code |
| 95 | +&client_id=044abcc4-914c-4444-9c3f-48cc3140b6b4 |
| 96 | +&scope=openid+https://vault.azure.net/user_impersonation |
| 97 | +&prompt=consent |
| 98 | +``` |
| 99 | + |
| 100 | +- If the application is accessing itself as the resource, the **{App-Id}** and **{App-Uri-Id}** will be the same. |
| 101 | +- You can get the **{App-Id}** and **{App-Uri-Id}** from the application owner. |
| 102 | +- The **{Tenant-Id}** corresponds to your tenant identifier, which can be either your domain or your directory ID. |
0 commit comments