Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

Question

Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

Nick Loenders 51

in Office365 Teams, a guest user could not log in to another tenants team.

Sign-in error code: 53003

Failure reason is: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

The conditional access says:

Grant Controls: Require Authentication strength - Multifactor authentication: The user could satisfy this authentication strength by completing one or more MFA challenges.

??

Accepted answer

3 additional answers

Your answer

Answer 1

Anonymous

Hi @Nick Loenders

The above error is because of the conditional Access Policy being enabled by your Global administrator in Azure Active Directory.

If you want guest users to skip this policy, select Exclude Guests or External users in the Conditional Policy.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Answer 2

Andy David - MVP 157.8K MVP Volunteer Moderator

Did you user set up MFA with the other tenant? If not they can will need to do that.

They can go to https://myaccount.microsoft.com/?ref=MeControl and logon to the other tenant and set up that up.

Nick Loenders 51 Reputation points

2024-10-07T10:59:02.9466667+00:00

Well, it is just a guest user, so I don't think she has MFA for the other tenant as she is not a real user...?
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator

2024-10-07T11:02:02.5566667+00:00

The other tenant however can require it:

https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-policy-guest-mfa
Nick Loenders 51 Reputation points

2024-10-07T13:07:19.8966667+00:00

Aaah here, see screenshot, but is it wise to enable this fr external users? I guess not... I will exclude this certain guest-user.
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator

2024-10-07T13:35:18.28+00:00

If this is your user attempting to logon to another tenant and they are requiring MFA, its their policy that is enforcing MFA, not yours.
Nick Loenders 51 Reputation points

2024-10-07T19:59:48.9433333+00:00

Yes, but I manage them both :)
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator

2024-10-08T11:20:38.92+00:00

Oh in that case, it should be easy to fix :)

Answer 3

Andy David - MVP 157.8K MVP Volunteer Moderator

As to your question is it wise to enable for guests, then I would say you should, however you can exclude guests from MFA or enable it so the other tenant honors MFA from another Azure tenant that requires it

https://learn.microsoft.com/en-us/entra/external-id/authentication-conditional-access#mfa-for-microsoft-entra-external-users

Answer 4

Demirci, Fatih 0

Hello,

we have the same problem.

Exclude Guest Users from MFA is not a option for us and we dont wont to change the external identity settings to trust the MFA from Home Tenant !

We have this problem since few days and tried several options, reset MFA, reinvite and so on.
The solution was to delete the guest account and send a new invite. But now we have two more guest from different tenants, so our workaround can't be the solution.

Share via

Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

3 additional answers

Your answer