Error Code: 53003 - Conditional Access Policy blocking external user

vb123 20 Reputation points
2024-10-01T15:05:01.8433333+00:00

One of our internal teams has set up a workspace and shared an invite to an external user outside of the company. When the user tries to log in he get the following error:

"You cannot access this right now

Your sign-in was successful but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app, or location that is restricted by your admin."

The external users IT department provided him with a screenshot of the error log on their end. It shows (image attached):

"Sign-in error code 53003"

Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

My question is, does this conditional access policy need to be updated on the external user's side? We are thinking this is not an issue on our end and the conditional access policy only applies to internal users of an organization. Can someone confirm this? Thank you

Microsoft Teams
Microsoft Teams
A Microsoft customizable chat-based workspace.
10,088 questions
Microsoft Entra
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. JimmyYang-MSFT 52,801 Reputation points Microsoft Vendor
    2024-10-02T03:25:11.3666667+00:00

    @vb123

    The sign-in error code 53003 indicates that the Conditional Access policies set by the organization that manages the resource (in this case, likely your organization) are blocking the external user from accessing the workspace. Conditional Access policies can indeed apply to external users if they are set up that way. It's a common misconception that Conditional Access policies only affect internal users, but they can be configured to enforce specific requirements for anyone trying to access resources, whether they are internal or external. Here's what you can do to resolve this issue:

    1. Review Conditional Access Policies: Check the Conditional Access policies configured in your organization's Azure Active Directory (or equivalent service) to see if any of them might be restricting access based on criteria such as:
    • Location (e.g., only allowing access from certain IP ranges or geographic regions).
    • Device compliance (e.g., requiring devices to be domain-joined or compliant with specific security policies).
    • Approved client apps (e.g., only allowing access from certain browsers or applications).
    1. Modify Policies if Necessary: If you identify a policy that could be blocking the external user, you may need to modify it to allow access for external users. This might include:
    • Adding a specific exception for the external user or their organization.
    • Temporarily relaxing the policy to allow their access.
    1. Coordinate with External User’s IT Department: If the issue seems to be on their end, work with the external user's IT department to ensure that their access attempts meet the conditions set by your Conditional Access policies.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.