Azure sign-in error 53003. "Access has been blocked by Conditional Access policies" and Conditional Access tab is empty.

Peter Jävert 0 Reputation points
2024-06-19T07:00:40.14+00:00

A user is blocked from using Teams app from her phone.

Azure Sign-in error code is 53003. "Access has been blocked by Conditional Access policies. The access policy does not allow token issuance."

When i go to Conditional Access tab to find the reason i dont get the list of our policies. It just says "Not applicable".

User's image

The Conditional Access diag doesnt give any further help.

She is not flagged as risky user and has no risky sign-ins.

Any idea?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,468 questions
{count} votes

3 answers

Sort by: Most helpful
  1. akinbade abiola 8,295 Reputation points
    2024-06-19T07:53:45.0133333+00:00

    Hello Peter Jävert,

    Thanks for your question.

    To get the specific reason why this is happening, I recommend using the sign-in logs.

    1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
    2. Go to users and select the specific user with an issue, and navigate to the sign in logs pane. Click the sign-in log in question
    3. Navigate to the conditional access pane and you will see policies applied

    You can further troubleshoot using: Troubleshooting sign-in problems with Conditional Access

    User's image

    Please let me know if you have further questions**

    You can mark it 'Accept Answer' if this helped.

    0 comments No comments

  2. Peter Jävert 0 Reputation points
    2024-06-19T10:01:22.0633333+00:00

    Solved the problem. Not sure why, but her Teams attempted to use MFA for her previous employer's Tenant. We cancelled the MFA authentication in Teams, selected the correct account, and she was able to log in.

    0 comments No comments

  3. Raja Pothuraju 1,520 Reputation points Microsoft Vendor
    2024-06-20T13:09:01.3866667+00:00

    Hello @Peter Jävert,

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue: Azure sign-in error 53003. "Access has been blocked by Conditional Access policies" and Conditional Access tab is empty.

    Resolution: Resolved by @Peter Jävert

    Below are the steps followed by @Peter Jävert

    Solved the problem. Not sure why, but her Teams attempted to use MFA for her previous employer's Tenant. We cancelled the MFA authentication in Teams, selected the correct account, and she was able to log in.

    Adding the additional info for helping the community members to investigate this further - I understand that the end user faced a problem while trying to access the Teams application on her mobile and was blocked by a conditional access policy with an error code: 53003. When you checked the Entra sign-in logs for that user, there were no conditional access policies applied, and no policies were listed in that tab either.

    To identify the root cause, I request you to check the same sign-in log again. This time, please review the Basic Info tab and verify the following details: Resource tenant ID, Home tenant ID and Cross tenant access type.

    • Resource Tenant ID: GUID of the tenant of the accessed resource.
    • Home Tenant ID: GUID of the tenant to which the user is attached and used to validate their identity.
    • Cross Tenant Access Type: B2B Collaboration or B2B Direct.

    If the conditional access policy tab is empty in the sign-in log, this can happen if the Resource Tenant ID is different from the Home Tenant ID. This indicates that the user's authentication is occurring on the resource tenant. In this scenario, the resource tenant's conditional access policy will be applied, not the home tenant's conditional access policies. If this is the case, the end user's access might have been blocked due to the resource tenant's conditional access policy, which was not satisfied by the end user's sign-in attempt to the Teams application.

    If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    Thanks,
    Raja Pothuraju.