Error Code: 53003 - Conditional Access Policy blocking external user

Question

Error Code: 53003 - Conditional Access Policy blocking external user

vb123 40

One of our internal teams has set up a workspace and shared an invite to an external user outside of the company. When the user tries to log in he get the following error:

"You cannot access this right now

Your sign-in was successful but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app, or location that is restricted by your admin."

The external users IT department provided him with a screenshot of the error log on their end. It shows (image attached):

"Sign-in error code 53003"

Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

My question is, does this conditional access policy need to be updated on the external user's side? We are thinking this is not an issue on our end and the conditional access policy only applies to internal users of an organization. Can someone confirm this? Thank you

vb123 40 Reputation points

2024-10-08T15:58:38.42+00:00

We did go back and view the sign-in logs for that user and was not seeing any hits after a certain date - which tells me that something is most likely blocking on the end user's side. I've provided that info back to the user to report back to her IT team to investigate. Still waiting to hear back the results. Thank you for the feedback!

Accepted answer

1 additional answer

Your answer

vb123 40 Reputation points

2024-10-08T15:58:38.42+00:00

We did go back and view the sign-in logs for that user and was not seeing any hits after a certain date - which tells me that something is most likely blocking on the end user's side. I've provided that info back to the user to report back to her IT team to investigate. Still waiting to hear back the results. Thank you for the feedback!

Answer 1

@vb123

The sign-in error code 53003 indicates that the Conditional Access policies set by the organization that manages the resource (in this case, likely your organization) are blocking the external user from accessing the workspace. Conditional Access policies can indeed apply to external users if they are set up that way. It's a common misconception that Conditional Access policies only affect internal users, but they can be configured to enforce specific requirements for anyone trying to access resources, whether they are internal or external. Here's what you can do to resolve this issue:

Review Conditional Access Policies: Check the Conditional Access policies configured in your organization's Azure Active Directory (or equivalent service) to see if any of them might be restricting access based on criteria such as:

Location (e.g., only allowing access from certain IP ranges or geographic regions).
Device compliance (e.g., requiring devices to be domain-joined or compliant with specific security policies).
Approved client apps (e.g., only allowing access from certain browsers or applications).

Modify Policies if Necessary: If you identify a policy that could be blocking the external user, you may need to modify it to allow access for external users. This might include:

Adding a specific exception for the external user or their organization.
Temporarily relaxing the policy to allow their access.

Coordinate with External User’s IT Department: If the issue seems to be on their end, work with the external user's IT department to ensure that their access attempts meet the conditions set by your Conditional Access policies.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

vb123 40 Reputation points

2024-10-08T16:01:50.95+00:00

Thank you for the response. We checked the sign-in logs for the user and saw two that listed an incorrect username and password. There are no conditional access policies applied on our end. However the last log activity for that users was on 9/26, nothing after that. So we suspect her traffic is no longer reaching our tenant. We've shared the issue with the user to report back to her IT team to investigate. The issue is pending.
Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator

2024-10-10T22:37:53.8066667+00:00

Hello @vb123,

Thank you for your response.

Based on your confirmation from the Entra Sign-in logs, it appears that the conditional access policy is being applied from the end user's home directory, not from your directory. I recommend checking with the end user's IT team to understand why their sign-in is being blocked and what conditions need to be met to access the resource.

Please let us know if you need any other additional information upon this.

Thanks,
Raja Pothuraju.
Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator

2024-10-14T20:24:17.9833333+00:00

Hello @vb123,

Just a gentle follow-up to check if you need any additional information regarding this. Please feel free to let me know if you have any further questions.
vb123 40 Reputation points

2024-10-15T03:18:08.3933333+00:00

Hi @Raja Pothuraju thank you for your help. I've sent back the info to the user to reach out to her tech support. I've not heard anything back. I think we can consider this issue solved. If anything comes up I will repost a follow up. Thanks.

Answer 2

Raja Pothuraju 23,465 Microsoft External Staff Moderator

Hello @vb123,

Thank you for posting your query on Microsoft Q&A.

Adding to JimmyYang answer, I recommend checking the Microsoft Entra Sign-in logs to determine which tenant’s Conditional Access policy is blocking access to the resources.

When a user encounters a 53003 error while trying to log into an application, ask them to provide the correlation ID that appears under the 53003-error message after clicking "More Info." Then, navigate to your Entra Sign-in logs, apply a filter for the correlation ID, and paste the provided ID. If the log appears in your tenant, this indicates that a Conditional Access policy in your tenant is being applied to the user's sign-in, and access is being blocked because the user didn’t meet the required conditions of the policy.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

Thanks,
Raja Pothuraju.

Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator

2024-10-15T10:09:24.97+00:00

Hello @vb123, Thank you for your response. Please feel free to reach out if you need any further assistance in the future, especially if the issue persists. I’m happy to help.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Thanks,
Raja Pothuraju.

Share via

Error Code: 53003 - Conditional Access Policy blocking external user

1 additional answer

Your answer