What causes AADSTS90008?

App registration is missing the minimum Microsoft Graph delegated permissions (openid, profile, User.Read). Admin consent has not been granted for the requested scopes in the tenant. Tenant policy requires admin consent for all apps but only user consent was attempted. The app is requesting a token for its own client ID without a valid resource scope (e.g. resource = client_id) — Azure AD requires a Graph scope at minimum. Permissions were added in the app manifest but the consent prompt was never completed after the change

How do I fix AADSTS90008?

Open the app registration in Entra ID (Azure AD) → API permissions, and add Microsoft Graph delegated permissions: openid, profile, and User.Read. Click 'Grant admin consent for ' to consent on behalf of all users, or have each user re-trigger sign-in to consent individually. Verify the sign-in request includes a valid resource/scope (e.g. https://graph.microsoft.com/.default) instead of the app's own client ID as the resource. If the tenant blocks user consent, ask a Global Administrator or Privileged Role Administrator to grant tenant-wide consent. Re-authenticate and confirm the new token contains the expected scopes; check Entra sign-in logs for AADSTS90008 to confirm the error has cleared

Low severityauthentication

Power BI Error:
AADSTS90008, Missing Microsoft Graph Consent

What does this error mean?

The application is requesting a token for itself but lacks the required Microsoft Graph permissions or admin consent.

Common causes

1App registration is missing the minimum Microsoft Graph delegated permissions (openid, profile, User.Read)
2Admin consent has not been granted for the requested scopes in the tenant
3Tenant policy requires admin consent for all apps but only user consent was attempted
4The app is requesting a token for its own client ID without a valid resource scope (e.g. resource = client_id) — Azure AD requires a Graph scope at minimum
5Permissions were added in the app manifest but the consent prompt was never completed after the change

How to fix it

1Open the app registration in Entra ID (Azure AD) → API permissions, and add Microsoft Graph delegated permissions: openid, profile, and User.Read
2Click 'Grant admin consent for <tenant>' to consent on behalf of all users, or have each user re-trigger sign-in to consent individually
3Verify the sign-in request includes a valid resource/scope (e.g. https://graph.microsoft.com/.default) instead of the app's own client ID as the resource
4If the tenant blocks user consent, ask a Global Administrator or Privileged Role Administrator to grant tenant-wide consent
5Re-authenticate and confirm the new token contains the expected scopes; check Entra sign-in logs for AADSTS90008 to confirm the error has cleared

Frequently asked questions

What does AADSTS90008 mean?

The user or administrator hasn't consented to use the application. At the minimum, the application requires access to Microsoft Entra ID by

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes