AKS: AgentPool UAMI blocked from token generation (conditional access policies) - image pull fails

Question

AKS: AgentPool UAMI blocked from token generation (conditional access policies) - image pull fails

AndrewKrause-1311 5

We've suddenly started seeing failures in our AKS clusters when attempting to pull images from our ACR. We have not changed anything, but I've verified:

The agent pool UAMI has AcrPull assigned to the ACR.
The image and its tag exist in the ACR.
The UAMI is assigned to the VMSS instance.

AndrewKrause-1311 5

I had trouble posting this question:

You are not authorized to make this response. If you believe this to be in error, please refresh the page and try again.

I have many kubelet logs like this:

2026-02-21T08:54:18.077085+00:00 aks-lin1-42448049-vmss00002A kubelet[8990]: RESPONSE 400: 400 Bad Request
2026-02-21T08:54:18.077111+00:00 aks-lin1-42448049-vmss00002A kubelet[8990]: --------------------------------------------------------------------------------
2026-02-21T08:54:18.077136+00:00 aks-lin1-42448049-vmss00002A kubelet[8990]: {
2026-02-21T08:54:18.077162+00:00 aks-lin1-42448049-vmss00002A kubelet[8990]:   "error": "interaction_required",
2026-02-21T08:54:18.077188+00:00 aks-lin1-42448049-vmss00002A kubelet[8990]:   "error_description": "AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. Trace ID: db360cc0-0b42-420a-8270-0ad2f5fd8700 Correlation ID: 2e5b9a15-16bd-44dd-8559-91889a49a8fe Timestamp: 2026-02-21 08:54:18Z",
2026-02-21T08:54:18.077214+00:00 aks-lin1-42448049-vmss00002A kubelet[8990]:   "error_codes": [
2026-02-21T08:54:18.077240+00:00 aks-lin1-42448049-vmss00002A kubelet[8990]:     53003
2026-02-21T08:54:18.077265+00:00 aks-lin1-42448049-vmss00002A kubelet[8990]:   ],
2026-02-21T08:54:18.077291+00:00 aks-lin1-42448049-vmss00002A kubelet[8990]:   "timestamp": "2026-02-21 08:54:18Z",
2026-02-21T08:54:18.077316+00:00 aks-lin1-42448049-vmss00002A kubelet[8990]:   "trace_id": "db360cc0-0b42-420a-8270-0ad2f5fd8700",

AndrewKrause-1311 5 Reputation points

2026-02-21T11:12:55.17+00:00

Most of this was already covered in my original post, but I had not run a full reconcile (only a reimaging). I have now attempted a full reconciliation to no effect. I will make a ticket with the tenant admins.

3 answers

Your answer

AndrewKrause-1311 5 Reputation points

2026-02-21T09:21:11.0133333+00:00

I had trouble posting this question:

You are not authorized to make this response. If you believe this to be in error, please refresh the page and try again.

I have many kubelet logs like this:

2026-02-21T08:54:18.077085+00:00 aks-lin1-42448049-vmss00002A kubelet[8990]: RESPONSE 400: 400 Bad Request 2026-02-21T08:54:18.077111+00:00 aks-lin1-42448049-vmss00002A kubelet[8990]: -------------------------------------------------------------------------------- 2026-02-21T08:54:18.077136+00:00 aks-lin1-42448049-vmss00002A kubelet[8990]: { 2026-02-21T08:54:18.077162+00:00 aks-lin1-42448049-vmss00002A kubelet[8990]: "error": "interaction_required", 2026-02-21T08:54:18.077188+00:00 aks-lin1-42448049-vmss00002A kubelet[8990]: "error_description": "AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. Trace ID: db360cc0-0b42-420a-8270-0ad2f5fd8700 Correlation ID: 2e5b9a15-16bd-44dd-8559-91889a49a8fe Timestamp: 2026-02-21 08:54:18Z", 2026-02-21T08:54:18.077214+00:00 aks-lin1-42448049-vmss00002A kubelet[8990]: "error_codes": [ 2026-02-21T08:54:18.077240+00:00 aks-lin1-42448049-vmss00002A kubelet[8990]: 53003 2026-02-21T08:54:18.077265+00:00 aks-lin1-42448049-vmss00002A kubelet[8990]: ], 2026-02-21T08:54:18.077291+00:00 aks-lin1-42448049-vmss00002A kubelet[8990]: "timestamp": "2026-02-21 08:54:18Z", 2026-02-21T08:54:18.077316+00:00 aks-lin1-42448049-vmss00002A kubelet[8990]: "trace_id": "db360cc0-0b42-420a-8270-0ad2f5fd8700",
AndrewKrause-1311 5 Reputation points

2026-02-21T11:12:55.17+00:00

Most of this was already covered in my original post, but I had not run a full reconcile (only a reimaging). I have now attempted a full reconciliation to no effect. I will make a ticket with the tenant admins.

Answer 1

AndrewKrause-1311 5

Tenant admin was responsible for some policy change which was reverted/resolved over the weekend.

Answer 2

Nikhil Duserla 9,685 Microsoft External Staff Moderator

Hello @AndrewKrause-1311 ,

Thanks for your response. In tenant, Open Entra ID → Monitoring & Health → Sign-in Logs. Apply a filter using the Correlation ID from your error:

Then select the Conditional Access tab to identify which policy blocked the sign-in- https://docs.azure.cn/en-us/entra/identity/conditional-access/troubleshoot-conditional-access

That just means the token still isn’t being issued due to Conditional Access. Once you fix the CA policy causing AADSTS53003, the portal action will work normally.

Answer 3

Hello **AndrewKrause-1311

**It looks like you're encountering issues with your AKS cluster being blocked from pulling images from your Azure Container Registry (ACR) due to a Conditional Access policy. The error message you're seeing (AADSTS53003: Access has been blocked by Conditional Access policies) suggests that the user-assigned managed identity (UAMI) for your AKS cluster might not have the necessary permissions due to these policies.

Here are a few steps you can follow to resolve this issue:

Verify UAMI Configuration: Ensure that your agent pool UAMI has the AcrPull role assigned to the correct ACR. You can check this by running:

   az role assignment list --assignee <UAMI-ID> --scope /subscriptions/<Subscription-ID>/resourceGroups/<ResourceGroup-Name>/providers/Microsoft.ContainerRegistry/registries/<ACR-Name>

Check Conditional Access Policies: Conditional Access policies in Azure AD may be preventing the UAMI from obtaining tokens needed to pull images. You may need to adjust these policies or add exclusions for the UAMI used by your AKS. Work with your Azure AD administrator to review and modify these policies.
Reassign Kubelet Identity: If there are misconfigurations with the kubelet identity, consider reassigning it to your VM Scale Set. Run the following command to update the AKS cluster, which can help in re-establishing the kubelet identity:
```
   az aks update --resource-group <MyResourceGroup> --name <MyManagedCluster>
```
Token Issuance: Make sure that the UAMI is allowed to issue tokens. This might involve checking the Azure AD settings and ensuring that the application has the necessary API permissions to access the ACR.
Check Expiry of Service Principal: If your AKS cluster relies on a service principal, make sure it hasn't expired. You can check this and update credentials if necessary.
Kubelet Logs: Continue reviewing the kubelet logs for any additional error messages that could provide further insights into failures:
- You're looking for logs indicating authentication issues or network problems.

For further troubleshooting, here are some additional resources you might find useful:
https://learn.microsoft.com/en-us/troubleshoot/azure/azure-kubernetes/extensions/cannot-pull-image-from-acr-to-aks-cluster#before-you-begin
https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview

Let me know if you need any more assistance or if any of these steps clarify the situation!

Share via

AKS: AgentPool UAMI blocked from token generation (conditional access policies) - image pull fails

3 answers

Your answer