This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 86%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
A user encounters problems when trying to add her Microsoft 365 mailbox (MS 365 Business Standard) in Outlook (O365). In the azure logs I see the following error:
Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.
However, there are no conditional access policies configured. When I disable the security defaults in Azure AD, the problem is solved and mailbox can be added without any problems. This is unexpected/unwanted behavior: we want to enable security defaults/MFA without having problems with adding the mailbox in Outlook.
Any ideas/suggestions?
Which version of Outlook is that, is it perhaps trying to use legacy auth? Make sure Modern auth is enabled both server-side and client-side.
It's the Microsoft 365 apps deployed via ODT (but same problem with Outlook pro plus 2016)
The modern auth is disabled on both client and server-side, but enabling will result in the same problem I think (because turning on the modern auth on server-side is basically the same as enabling the security defaults: "You can either enable security defaults in the Azure portal to turn off basic authentication for all protocols, or use the controls below to turn it off for specific protocols.")
That's not true, enabling modern authentication will not automatically disable legacy auth. Security default do disable legacy auth though, and without modern auth enabled, you are not giving the client any option to authenticate.