Security defaults in Azure AD cause access problem

Nobus 1 Reputation point

A user encounters problems when trying to add her Microsoft 365 mailbox (MS 365 Business Standard) in Outlook (O365). In the azure logs I see the following error:

Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

However, there are no conditional access policies configured. When I disable the security defaults in Azure AD, the problem is solved and mailbox can be added without any problems. This is unexpected/unwanted behavior: we want to enable security defaults/MFA without having problems with adding the mailbox in Outlook.

Any ideas/suggestions?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,589 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Vasil Michev 85,646 Reputation points MVP

    Which version of Outlook is that, is it perhaps trying to use legacy auth? Make sure Modern auth is enabled both server-side and client-side.

    0 comments No comments

  2. Nobus 1 Reputation point

    It's the Microsoft 365 apps deployed via ODT (but same problem with Outlook pro plus 2016)

    The modern auth is disabled on both client and server-side, but enabling will result in the same problem I think (because turning on the modern auth on server-side is basically the same as enabling the security defaults: "You can either enable security defaults in the ‎Azure‎ portal to turn off basic authentication for all protocols, or use the controls below to turn it off for specific protocols.")