The AADSTS65001 error appears when Copilot tries to access a Microsoft 365 resource but the required consent has not been granted by an administrator. This error stops Copilot from generating responses or accessing tenant data. The root cause is a missing or revoked admin consent for the Microsoft Graph permissions that Copilot relies on. This article explains why the error occurs and provides the exact steps to grant the required consent.
Key Takeaways: Fixing the Copilot Consent Error
- Microsoft Entra admin center > Enterprise applications > Copilot > Permissions: Grants the missing admin consent for delegated and application permissions.
- Microsoft 365 admin center > Setup > Copilot > Data access: Confirms that tenant-wide consent policies allow Copilot to read Microsoft Graph data.
- PowerShell command
Grant-MgAdminConsent: Automates the consent grant for all required Copilot permissions in a single step.
Why the AADSTS65001 Error Occurs
The error AADSTS65001 indicates that the user or application has not provided consent for the required permissions. In the context of Copilot, this happens when the Microsoft Entra application registration for Copilot lacks admin consent for delegated permissions such as User.Read, Files.Read.All, or Sites.Read.All. Without this consent, Copilot cannot query Microsoft Graph to retrieve user context or tenant data.
Three scenarios commonly trigger this error:
- A new Copilot deployment where admin consent was never granted during initial setup.
- A recent Microsoft Graph API update that added new permissions Copilot requires, invalidating the previous consent.
- A tenant administrator revoked consent through the Microsoft Entra admin center or via a conditional access policy.
The error message typically appears in the Copilot pane in Teams, Word, or Outlook as a red banner reading “Consent required” or as an HTTP 403 response in the browser developer tools.
Steps to Grant Admin Consent for Copilot
You must be a Global Administrator or Privileged Role Administrator in Microsoft Entra to complete these steps.
Method 1: Grant Consent Through the Microsoft Entra Admin Center
- Sign in to the Microsoft Entra admin center
Open a browser and go to https://entra.microsoft.com. Sign in with your Global Administrator account. - Navigate to Enterprise applications
In the left navigation menu, select Identity > Applications > Enterprise applications. Use the search box to find the Copilot application. The exact name may be “Copilot” or “Microsoft Copilot Service”. - Open the Permissions page
Select the Copilot application entry. In the left menu under Security, click Permissions. You will see a list of Microsoft Graph permissions with a status of “Not granted” for any that lack admin consent. - Grant admin consent
Click the Grant admin consent for [your tenant] button at the top of the permissions page. A consent dialog appears listing all required permissions. Review the list and click Accept. The process may take up to 60 seconds to complete. - Verify the consent
After the dialog closes, refresh the Permissions page. Each permission should now show a status of “Granted for [your tenant]”.
Method 2: Grant Consent Using Microsoft Graph PowerShell
- Install the Microsoft Graph PowerShell module
Open PowerShell as an administrator and runInstall-Module Microsoft.Graph -Scope CurrentUser. Press Y to confirm the installation if prompted. - Connect to Microsoft Graph
RunConnect-MgGraph -Scopes "Directory.ReadWrite.All", "AppRoleAssignment.ReadWrite.All". Sign in with your Global Administrator account when the browser-based authentication window appears. - Identify the Copilot service principal
RunGet-MgServicePrincipal -Filter "DisplayName eq 'Microsoft Copilot Service'". Copy theIdvalue from the output. This is the object ID of the Copilot service principal. - Grant admin consent
Run the following command, replacing[ServicePrincipalId]with the ID from the previous step:Grant-MgAdminConsent -ServicePrincipalId "[ServicePrincipalId]". The command returns a status object. Wait for the output to showConsentGranted: True. - Disconnect the session
RunDisconnect-MgGraphto end the session securely.
If Copilot Still Shows the Error After Granting Consent
Copilot Returns AADSTS65001 After Consent Was Granted
If the error persists, the consent may not have propagated to all Copilot service instances. Wait 15 minutes and then clear the browser cache or restart the Microsoft 365 app. In Teams, sign out and sign back in. In some cases, the consent refresh requires a new authentication token. Run dsregcmd /leave in a command prompt as administrator, then restart the device to force a fresh device registration and token refresh.
Copilot Works But Only for Some Users
This indicates that user-level consent is missing for individual accounts. In the Microsoft Entra admin center, go to Identity > Users > User settings. Under Enterprise applications, ensure that “Users can consent to apps accessing company data on their behalf” is set to No. This forces all consent to be admin-managed. Then re-run the admin consent grant from Method 1 or 2.
Copilot Fails After a Microsoft Graph API Update
Microsoft occasionally adds new permissions to the Copilot application registration. When this happens, previously granted consent becomes invalid. Repeat the admin consent grant process from Method 1. After granting, check the Permissions page for any new permissions with a status of “Not granted”. Grant consent again until all permissions show “Granted for [your tenant]”.
Admin Consent vs User Consent for Copilot
| Item | Admin Consent | User Consent |
|---|---|---|
| Who grants it | Global Administrator or Privileged Role Administrator | Individual user |
| Scope | All users in the tenant | Only the granting user |
| Permissions included | All delegated and application permissions for Copilot | Only delegated permissions that do not require admin consent |
| Where to grant | Microsoft Entra admin center > Enterprise applications > Copilot > Permissions | OAuth consent dialog during first sign-in |
| Effect on AADSTS65001 | Resolves the error for the entire tenant | Resolves the error only for that user |
The AADSTS65001 error is resolved by granting admin consent for the Copilot application in Microsoft Entra. Use the admin center or PowerShell to grant consent. After consent is granted, clear the cache and restart your Microsoft 365 apps. To prevent future consent issues, monitor the Microsoft 365 Message Center for announcements about new Copilot permissions and grant consent proactively.