While using the UiPath Office365 Activity the following error message is thrown "MsalUiRequiredException AADSTS65001: The user or administrator has not consented to use the application with ID '{appId}' named '{appName}'. Send an interactive authorization request for this user and resource". How to resolve this?
Issue Description: When using UsernameAndPassword authentication from Office 365 Scope, the following error is thrown when trying to authenticate
Full Error In Text:
Resolution:
For Root Cause 1 & 2: An admin has to access the App Registration, add the permissions and consent on behalf of the whole organization.
For Root Cause 3: Even if the Admin provided consent from the App Registration, due to particular settings on the consent workflow, Azure is still preventing the authentication. You must configure the Office 365 Scope to perform an InteractiveToken authentication, Run/Debug the process and have an admin log-in when the consent prompt appears.
Make sure to consent on behalf of the organization.
Note: This is a one-time requirement per App Registration.
Note: If user consent is allowed on the Azure Tenant, each business user can consent to the application himself. Multiple users can consent their own usage for the same application. (This will not provide tenant-wide consent)
Also consent by building the consent URL in the browser. Example below:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={clientId}&response_type=code&scope=user.read
Additional Information:
Full Error In Text:
RemoteException wrapping Microsoft.Graph.ServiceException: Code: generalException Message: An error occurred sending the request. ---> RemoteException wrapping Microsoft.Identity.Client.MsalUiRequiredException: AADSTS65001: The user or administrator has not consented to use the application with ID '*' named '*'. Send an interactive authorization request for this user and resource.
Root Cause: This can happen due to the following reasons,
- No permissions have been added to the application, at all
- The admin has not granted consent for the whole organization
- The admin granted the consent, but due to some particular Azure settings, he is required to send the Authorization request and Consent via the Desktop App (e.g. UiPath)
Resolution:
For Root Cause 1 & 2: An admin has to access the App Registration, add the permissions and consent on behalf of the whole organization.
For Root Cause 3: Even if the Admin provided consent from the App Registration, due to particular settings on the consent workflow, Azure is still preventing the authentication. You must configure the Office 365 Scope to perform an InteractiveToken authentication, Run/Debug the process and have an admin log-in when the consent prompt appears.
Make sure to consent on behalf of the organization.
Note: This is a one-time requirement per App Registration.
Note: If user consent is allowed on the Azure Tenant, each business user can consent to the application himself. Multiple users can consent their own usage for the same application. (This will not provide tenant-wide consent)
Also consent by building the consent URL in the browser. Example below:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={clientId}&response_type=code&scope=user.read
Additional Information:
- Set up your Microsoft 365 Azure app (UiPath)
- Microsoft Office 365 Scope (UiPath)
- Configure the admin consent workflow (Microsoft)
- Grant tenant-wide admin consent to an application (Microsoft)