Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

Nick Loenders 51 Reputation points
2024-10-07T09:25:02.47+00:00

in Office365 Teams, a guest user could not log in to another tenants team.

Sign-in error code: 53003

Failure reason is: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

The conditional access says:

Grant Controls: Require Authentication strength - Multifactor authentication: The user could satisfy this authentication strength by completing one or more MFA challenges.

??

Exchange Online
Exchange Online
A Microsoft email and calendaring hosted service.
6,188 questions
Microsoft Teams | Microsoft Teams for business | Other
Microsoft Security | Microsoft Entra | Other
0 comments No comments
{count} vote

Accepted answer
  1. Anonymous
    2024-10-08T01:56:51.2866667+00:00

    Hi @Nick Loenders

    The above error is because of the conditional Access Policy being enabled by your Global administrator in Azure Active Directory.

    If you want guest users to skip this policy, select Exclude Guests or External users in the Conditional Policy.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
  1. Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
    2024-10-07T10:52:41.21+00:00

    Did you user set up MFA with the other tenant? If not they can will need to do that.

    They can go to https://myaccount.microsoft.com/?ref=MeControl and logon to the other tenant and set up that up.


  2. Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
    2024-10-08T11:23:20.1266667+00:00

    As to your question is it wise to enable for guests, then I would say you should, however you can exclude guests from MFA or enable it so the other tenant honors MFA from another Azure tenant that requires it

    https://learn.microsoft.com/en-us/entra/external-id/authentication-conditional-access#mfa-for-microsoft-entra-external-users

    0 comments No comments

  3. Demirci, Fatih 0 Reputation points
    2024-10-10T06:59:04.28+00:00

    Hello,

    we have the same problem.

    Exclude Guest Users from MFA is not a option for us and we dont wont to change the external identity settings to trust the MFA from Home Tenant !

    We have this problem since few days and tried several options, reset MFA, reinvite and so on.
    The solution was to delete the guest account and send a new invite. But now we have two more guest from different tenants, so our workaround can't be the solution.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.