Sign-in blocked from new device - Error Code: 530031

Question

Hello there,

unfortunately, I am facing an issue, which I can´t solve by myself.

Following situation:

User A has a new domain joined device. He isn´t able to login to office.com or anywhere else, because of "Error Code: 530031".

Details from clipboard below:

Error Code: 530031
Request Id: 983abfb7-0dd9-43f4-b575-a1125383c000
Correlation Id: 05b67c01-d02a-46a4-bdb1-cb3f17842f54
Timestamp: 2025-02-28T14:15:16.761Z
App-Name: My Signins
App-ID: 19db86c3-b2b9-44cc-b339-36da233a3be2
IP-Adresse: 82.198.xxx.xx
Gerätebezeichner: Nicht verfügbar
Geräteplattform: Windows 10
Gerätestatus: Unregistered

Researches and the mentioned solutions did not help to solve this problem.

I checked the azure login logs for this specific user and the failure reason is: "Access policy does not allow token issuance"

There is no access policy configured. Just two conditional access policies.

• When users in the 'Group A' group sign-in: They are required be on an Intune compliant or domain-joined device
• When any user is outside the company network: They're required to sign in with multifactor authentication

User A is Member of Group A.

The device has been joined the domain.

Trying to access office.com or sharepoint or anything else (e.g.: outlook as an application) the message from above is shown up.

Furthermore, I can´t find this (new) device in Azure device list. Dunno know if this is important.

Someone there who knows how to fix this? I do not understand why this is a problem.

I did a few more test too. I tried to login from my office computer via office.com and it´s also not working. This means, when a User A, B, C however, wants to check mails or use app from office 365 on an other device (for e.g. homeoffice) it´s not possible.

The command dsregcmd /join has been executed by me too.

I´m hoping for good and helpful answers :)

best regards

Answer 1

Hello @J. N. Seebeck,

Thank you for reaching out on Microsoft Q&A.

Based on your description, I understand that User A is unable to sign in to office.com or other Microsoft services due to Error Code 530031.
The error is being caused by a Conditional Access policy that is blocking access token issuance due to a matching policy.

Upon reviewing the Conditional Access policies applied to Group A, I see that users in this group are required to sign in from either an Intune-compliant device or a domain-joined device.

Since User A's device is unregistered, it is not being recognized as compliant or domain-joined, which is why the Conditional Access policy is preventing token issuance and blocking sign-in.

To resolve this issue, please ensure the device is properly registered with Microsoft Entra ID. Depending on whether this is a personal or work device, the following guidance will assist in verifying and completing the registration process:
For personal devices: https://support.microsoft.com/en-us/account-billing/register-your-personal-device-on-your-work-or-school-network-8803dd61-a613-45e3-ae6c-bd1ab25bf8a8
For work devices: https://support.microsoft.com/en-us/account-billing/join-your-work-device-to-your-work-or-school-network-ef4d6adb-5095-4e51-829e-5457430f3973

Once the device is successfully registered, please test the sign-in process for User A again.

If the issue persists, feel free to provide additional details, and I’d be happy to assist further.

I hope this information is helpful. Please feel free to reach out if you have any further questions. If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Thanks,
Chaithra.