![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 62%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Microsoft 365 and Office | Development | Other
Building custom solutions that extend, automate, and integrate Microsoft 365 apps.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 64%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFT%3C/text%3E%3C/svg%3E)
Hi Jswk1
Thank you for reaching out to Microsoft Q&A forum and sharing your concern.
From your relevant documentation links and observations, I understand that you're having an issue with the OneDrive File Picker requesting tokens for undocumented resources. I truly appreciate you highlighting this issue with the OneDrive File Picker requesting tokens for undocumented resources like https://loki.delve.office.com/ and https://substrate.office.com/. You're spot on that these aren't mentioned in the official OneDrive File Picker documentation, which only covers the standard permissions.
You’re running into behavior with the OneDrive File Picker and Microsoft Graph integration, where the picker internally calls additional Microsoft 365 services. If your app does not declare these permissions in Azure AD, token acquisition for those resources fails, causing AADSTS65001. Adding these permissions would require admin consent and grant broad access (e.g., to user profiles and organizational graph), which is likely beyond your intended scope.
Importantly, please do not add these extra permissions to your Azure AD app registration. That would violate least-privilege principles and expose your app to unnecessary risks. Instead, handle them gracefully in your code.
Based on my research, I've found a similar discussion on AADSTS65001 errors in this thread: AADSTS65001: The user or administrator has not consented to use the application. You may consider referring to this thread and trying the steps outlined there such as:
- Verifying admin consent in your Azure AD app registration
- Ensuring the right scopes are included in your token requests
- Checking your API permissions setup
Many users found the suggested steps helpful and reported that they resolved their issues. Please let me know how you get on, as your feedback is valuable to the community.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.