How to Fix AADSTS53003: Access has been blocked by Conditional Access policies

Error message

AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

If you're seeing "AADSTS53003: Access has been blocked by Conditional Access policies", you're not alone. Here's what it means, why it happens, and the steps to resolve it.

Ad placeholder · slot error-mid

What this error means

Authentication succeeded, but a Conditional Access (CA) policy decided not to issue a token for this sign-in.

Why this happens

Common triggers: the user is on an unmanaged device, an untrusted location/IP, an app the policy blocks, or the policy requires a control (compliant device, hybrid join, MFA) that wasn't satisfied.

Step-by-step fix

Open Entra → Monitoring → Sign-in logs and find the failure entry. The Conditional Access tab shows exactly which policy applied.
2
Run a What If analysis for the user/app to confirm which policies fire.
command
```
Entra → Identity → Conditional Access → Policies → What If
```
Address the missing control: enroll the device, sign in from a trusted network, or complete the required MFA / compliance step.
If the policy is wrong, an admin can edit it or add a temporary user/app exclusion.

Affected products

Entra ID

Still broken? Try these

Check whether named locations need updating (e.g. office IP changed).
If a service principal is blocked, look at Workload Identities CA policies separately.
Confirm the user isn't double-blocked by an additional policy with conflicting controls.

Ad placeholder · slot error-bottom

Related errors

Frequently asked questions

What does "AADSTS53003: Access has been blocked by Conditional Access policies" mean?

Authentication succeeded, but a Conditional Access (CA) policy decided not to issue a token for this sign-in.

What causes "AADSTS53003: Access has been blocked by Conditional Access policies"?

Common triggers: the user is on an unmanaged device, an untrusted location/IP, an app the policy blocks, or the policy requires a control (compliant device, hybrid join, MFA) that wasn't satisfied.

How do I fix "AADSTS53003: Access has been blocked by Conditional Access policies"?

1. Open Entra → Monitoring → Sign-in logs and find the failure entry. The Conditional Access tab shows exactly which policy applied. 2. Run a What If analysis for the user/app to confirm which policies fire. 3. Address the missing control: enroll the device, sign in from a trusted network, or complete the required MFA / compliance step. 4. If the policy is wrong, an admin can edit it or add a temporary user/app exclusion. Always test changes in a non-production environment first.

Browse more errors in Entra ID: Fix Microsoft Entra ID (Azure AD) errors. AADSTS error codes, admin consent, app role assignment, Conditional Access, and user lookup problems. Or paste your own error into the error decoder tool to find a match. You can also go back to the homepage to browse common errors by topic.