Medium severityauthentication
Power BI Error:
AADSTS65005, Required resource access misconfigured
What does this error mean?
The app's required resource access list is missing the requested resource, or admin consent has not been granted.
Common causes
- 1The client app's 'API permissions' (Required Resource Access) list does not include the resource being requested (e.g. Microsoft Graph, Power BI Service, Fabric API)
- 2A scope/permission is requested in the auth flow that is not declared on the app registration
- 3Admin consent has not been granted for the tenant — permissions show 'Pending' or blank in the Azure portal
- 4For SAML apps: the Issuer (Entity ID) in the SAMLRequest does not match the Identifier (Entity ID) configured on the Enterprise Application
- 5The application identifier in the request does not match the configured client application identifier in Entra ID
How to fix it
- 1Open the app registration in the Microsoft Entra admin center (Azure AD) → API permissions, and add every resource/scope the app actually requests (e.g. Microsoft Graph User.Read, Power BI Service Dataset.ReadWrite.All, Fabric API scopes)
- 2Click 'Grant admin consent for [tenant]' and verify each permission's Status changes to 'Granted for [Tenant]' — Pending or blank means consent never completed
- 3Compare the scopes requested in your auth code (MSAL, ADAL, Power BI service principal config, ADF linked service) against the declared permissions and remove any scope that isn't registered
- 4For SAML-based apps: open the Enterprise Application → Single sign-on, and make the Identifier (Entity ID) match the <Issuer> element your SaaS app sends in its SAMLRequest
- 5If your organization isn't the app owner, sign in once with a Global Administrator account and tick 'Consent on behalf of your organization' on the consent screen; if no screen appears, delete the app from Enterprise applications and retry sign-in