Issues with GraphAPI authentication through Conditional Access with error status 53009

Kimura 5 Reputation points

I am developing an iPad application that uses GraphAPI through an Enterprise application on Entra (Azure). I have embedded IntuneMAM SDK into the iPad application and set the target resources of Conditional Access to "All cloud app." The iPad app can successfully login to IntuneMAM, and Intune monitor shows that the iPad application is compliant with the app protection policy.

However, when I try to use GraphAPI, the authentication fails and shows the following message:

You can't get there from here It looks like you're trying to open this resource with a client app that is not available for use with app protection policies.

The authentication message shows the following details:

App name is xxxx (it is Enterprise application name on Entra) Error Code: 53009 Status of Device: Compliant

The Entra Enterprise application sign-in log shows "Application needs to enforce Intune protection policies."

When I exclude "Office 365 SharePoint Online" from the target resources of Conditional Access, GraphAPI can authenticate and works fine. However, I must include "Office 365 SharePoint Online" in the target resources of Conditional Access. Please teach me how to authenticate with GraphAPI on CA with "All cloud app" targeted resources.

And I cannot find "Error Code: 53009" on any document. Please also teach me the meaning of "Error Code: 53009."

  • iOS: 17.0.1
  • IntuneMAM SDK: 1.18.2
  • MSAL: 1.2.18
  • SwiftUI/Swift application
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,436 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,742 questions
{count} vote