`a365 setup all` fails with "Admin consent required" despite following permission documentation

[breg-dev]

Description

When executing the a365 setup all --agent-name <name> command, the process consistently fails during the "Creating blueprint application" step. The CLI throws an error stating that admin consent has not been granted.

Important Context:
I have strictly followed all the instructions outlined in the official documentation, specifically the section regarding delegated permissions: Update delegated permissions. Despite configuring everything exactly as described, the command still fails and requests Global Administrator consent.

Expected behavior

The command should successfully create the agent blueprint and application using the delegated permissions configured, as suggested by the documentation, without requiring additional Global Administrator intervention.

SDK Version

v1.1.171+11c378141d

Language/Runtime

Node 24

OS

macOS 26

How to Reproduce

• Ensure delegated permissions are set up as per the documentation.

• Run the following command in the terminal: a365 setup all --agent-name <name>

• Observe the failure during the blueprint creation phase.

Output

Creating agent blueprint...
    Verifying consent for agent blueprint operations...
    Successfully ensured delegated application consent
    Creating blueprint application...
        Sign in to Microsoft Graph to continue...
        Authenticating to Microsoft Graph...
        Admin consent has not been granted for this application.
        You are running as a non-admin user and cannot grant admin consent.
        Share this URL with a Global Administrator to grant consent:
          https://login.microsoftonline.com/[REDACTED_TENANT_ID]/adminconsent?client_id=[REDACTED_CLIENT_ID]&redirect_uri=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient
        After consent is granted, re-run the command.
        ERROR: Browser authentication failed due to connectivity issue: Admin consent required. Share this URL with a Global Administrator: https://login.microsoftonline.com/[REDACTED_TENANT_ID]/adminconsent?client_id=[REDACTED_CLIENT_ID]&redirect_uri=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient
        ERROR: Failed to authenticate to Microsoft Graph: [GRAPH_API_FAILED] Microsoft Graph API operation failed: Browser authentication
  * Authentication failed due to connectivity issue: Admin consent required. Share this URL with a Global Administrator: https://login.microsoftonline.com/[REDACTED_TENANT_ID]/adminconsent?client_id=[REDACTED_CLIENT_ID]&redirect_uri=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient. Please ensure you have network connectivity.

        ERROR: TROUBLESHOOTING:
        ERROR: 1. Ensure you are a Global Administrator or have AgentIdentityBlueprint.ReadWrite.All permission
        ERROR: 2. The account must have already consented to these permissions

ERROR: Microsoft Graph API operation failed: Create Agent Blueprint
Blueprint creation failed. This typically indicates missing permissions or insufficient privileges.
Ensure you have the required Graph API permissions
You need AgentIdentityBlueprint.ReadWrite.All permission for agent blueprint creation
Contact your tenant administrator to grant permissions
See documentation: https://learn.microsoft.com/microsoft-agent-365/developer/custom-client-app-registration

Screenshots

No response

Code of Conduct

• I agree to follow the Microsoft Open Source Code of Conduct.

[sellakumaran]

Thanks @breg-dev for the detailed report — the CLI output is very helpful.

This is a bug we've identified in the blueprint setup flow. The message:

"Successfully ensured delegated application consent"

is misleading.

What's happening

There are two steps:

1. Delegated consent (CLI / Azure CLI token)
   We ensure an oauth2PermissionGrant exists for your custom client app.
   If a grant already exists, we try to PATCH in the required scope.
   If you're not a Global Admin, that PATCH call returns 403 — but the code incorrectly still returns success.

2. MSAL auth (custom client app)
   The CLI then tries to acquire a token using your client app.
   Since the scope wasn't actually added, Azure AD correctly fails with:

   "Admin consent has not been granted"

Workaround

The consent URL in your error is the correct fix. A Global Administrator needs to open it and grant consent:

https://login.microsoftonline.com/<tenant-id>/adminconsent?client_id=<client-app-id>&redirect_uri=...

After that, rerun:

a365 setup all --agent-name <name>

Question

Is this a fresh tenant/app, or has a365 setup all been run here before (even partially)? That would confirm whether an existing grant is missing this scope, or whether no grant exists at all.

We're tracking a fix to surface this failure properly and update the docs to make the admin consent step explicit.