B2B guest accounts from specific domain blocked with error 530035 — "Invitations blocked due to suspicious activity"

Question

Title: B2B guest accounts from specific domain blocked with error 530035 — "Invitations blocked due to suspicious activity"

Description:

Guest accounts from one external domain (transferonline.com) cannot sign in to our Azure Static Web Apps application, while guest accounts from gmail.com work fine.

Tenant: waltercole1997gmail789.onmicrosoft.com

Tenant ID: 58d9f7ed-72b9-4474-abe4-6c342827014e

What works:

• Tenant owner account signs in normally
• Gmail-based B2B guest accounts sign in normally

What fails:

• B2B guest accounts from transferonline.com get error 530035: "Your sign-in was successful but you don't have permission to access this resource"
• Graph API calls to /v1.0/invitations return: "Invitations are blocked for this directory due to suspicious activity. Please contact Microsoft support for help."

What we've verified:

• External collaboration settings allow invitations to any domain (no restrictions)
• appRoleAssignmentRequired is false on the app service principal
• The guest accounts exist in the directory and are enabled
• The guest accounts have been explicitly assigned app roles on the SWA service principal
• groupMembershipClaims is set to SecurityGroup
• The affected users are members of the correct Entra security groups

Error details from sign-in attempt:

• Error Code: 530035
• App: dms-docs-swa-auth-dev
• Correlation ID: e1cd0122-9094-4fc1-8590-f0a4eff32640

We cannot file a support ticket through the portal (the B2B category redirects to documentation pages instead of a ticket form). Looking for help getting the "suspicious activity" block lifted or understanding why only one domain's guests are affected