IT Error Decoder
Microsoft Graph PowerShell

How to Fix Connect-MgGraph admin consent required

Last reviewed

Error message

AADSTS65001: The user or administrator has not consented to use the application during Connect-MgGraph.

Connect-MgGraph is the entry point for almost every Microsoft Graph PowerShell session. When admin consent is missing, every cmdlet in your script fails with the same error before it does any real work. The fix is fast once you know which scope is blocking you.

What this error means

Connect-MgGraph asked Entra ID for permission to act on your behalf, and Entra refused because the requested scopes need admin approval that hasn't been granted yet.

Why this happens

First-time use of a scope that's flagged as admin-only, or your tenant disables user consent for any new app. The Microsoft Graph PowerShell client itself has to be consented to for the scopes you're requesting.

Quick fix (for end users)

  • If you have an admin handy, ask them to run Connect-MgGraph once with the same scopes — that grants tenant-wide consent.
  • If you don't, write down the scope name from the error and send a consent request via the prompt that appears on first sign-in.

Admin / engineer fix

  • Sign in as a Global Administrator (or Privileged Role Admin) and connect with the exact scopes the script needs.

    command
    Connect-MgGraph -Scopes 'User.Read.All','Group.Read.All','Directory.Read.All'

  • Accept the consent prompt — make sure to tick 'Consent on behalf of your organization'.

  • From then on, regular users running the same script will not be re-prompted because the service principal in your tenant already has those permissions.

Step-by-step fix

  1. Identify the exact scope being requested. The error or the script's Connect-MgGraph call will name it.

  2. An admin runs Connect-MgGraph with that scope and grants admin consent for the organization.

    command
    Connect-MgGraph -Scopes 'User.Read.All' # accept consent prompt as admin

  3. Re-run the script as the original user.

Affected products

Microsoft.Graph PowerShell SDK 1.x and 2.x

Common variations of this error

People also see these phrasings of the same problem:

  • AADSTS65001: The user or administrator has not consented to use the application
  • Need admin approval — Microsoft Graph PowerShell
  • Consent required for Connect-MgGraph

Still broken? Try these

  • Check tenant-wide settings: Entra → Enterprise applications → Consent and permissions. If user consent is fully disabled, only an admin can ever run Connect-MgGraph.
  • Make sure your account isn't excluded from Conditional Access policies that block the Microsoft Graph PowerShell client.
  • If using PowerShell 5.1, consider switching to PowerShell 7 — the SDK is better tested there.

Related errors

Related searches

  • connect-mggraph not working
  • microsoft graph powershell admin consent
  • aadsts65001 fix

Frequently asked questions

Do I need to grant admin consent every time?

No. Once an admin consents to a set of scopes for the Microsoft Graph PowerShell client in your tenant, regular users requesting those same scopes won't be prompted again.

Why doesn't my Global Admin role help?

Holding an admin role lets you grant consent, but you still have to actually grant it. Just being an admin doesn't auto-consent every scope.

Can I do this without an admin?

Only if your tenant allows user consent for the specific scope. Most tenants restrict this for high-privilege scopes like Directory.ReadWrite.All.

Browse more errors in Microsoft Graph PowerShell: Fix Microsoft Graph PowerShell errors. Insufficient privileges, invalid object ID, missing cmdlets, token problems, and more. Or paste your own error into the error decoder tool to find a match. You can also go back to the homepage to browse common errors by topic.