Looking for information on Sign-in error code 530004 // AcceptCompliantDevice setting

K.Ach 36 Reputation points

Hi all,

About a week ago, several of our tenant guests users are encountering the following error and are unable to access our tenant:

error code: 530004
Failure reason: AcceptCompliantDevice setting isn't configured for this organization. The admin needs to configure this setting to allow external users access to protected resources.

We have discovered that the affected users have the following device info:
Compliant No
Managed No

But the weird thing is it affects guests users that have "identity issuer: mail" not just "ExternalAD" and "MicrosoftAccount".

How can mail guests have a managed device?

We cannot find any documented change that may be causing this - we would be grateful for any information on the topic.

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,307 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,397 questions
{count} votes

Accepted answer
  1. Justin Page 86 Reputation points

    An update from our org today, too

    We have a MS ticket open but has not gotten anywhere.

    We are seeing success again for guest users. I can verify it works in our troubleshooting designs as well.

3 additional answers

Sort by: Most helpful
  1. Ville 5 Reputation points

    Are there any updates from others that had Microsoft tickets open?

    I'm posting this in January 2023 and I'm seeing this same issue others have described:

    • when accessing external org in Teams or Sharepoint
    • on macOS, registered and compliant device, not fully managed
      • desktop app: I receive two MFA prompts, one from home tenant, one from external tenant and approve both successfully
      • web client (in Edge and Chrome browser): I receive one MFA prompt and approve it successfully
      • Result in both cases:
        • Sorry, you can't get to this yet
        • You can't complete this action because you're trying to access protected resources as an external user in this organization. Please contact the admin to allow you to access the protected resources.
        • Error Code: 530004
    • on Windows it works fine (including non-compliant, non-managed)
    • on iOS Teams app it works fine (registered, non-managed)

    I've tried completely uninstalling + reinstalling the Teams desktop app on macOS. It didn't help.

    I wonder if this could be resolved by the tenant inviting the external users adjusting their cross tenant B2B inbound trust settings, see https://learn.microsoft.com/en-us/azure/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration#to-change-inbound-trust-settings-for-mfa-and-device-claims

    I'm not able to test that as I'm not an admin in the other tenant, but in any case that would be more of a workaround than a fix. It seems like there is something wrong in the auth flow for external use on macOS for the scenario where the external org requires MFA for external users.

    1 person found this answer helpful.
    0 comments No comments

  2. Jason Sandys 31,151 Reputation points Microsoft Employee

    This looks like a conditional access related issue and so I've added the CA tag to this thread. Assuming this is something that just started happening, your best is to probably open a support case though. I know we've been expanding CA capabilities into B2C scenarios recently so this could be because of that -- not my deep area of expertise though. See https://learn.microsoft.com/en-us/azure/active-directory-b2c/conditional-access-user-flow?pivots=b2c-user-flow for details on this.

  3. K.Ach 36 Reputation points

    An update from our end:

    We have an open ticket with MS and still cycling through support levels, but have not gotten any solid feedback yet on the issue or the cause.

    As of today - 7 days after the first incident - the problem just stopped and everything seems to be back to normal.
    It seems that there was a blunder in the background, but kept quiet about it.

    Anyhow, mistakes happen and that's ok in my book - some communication and transparency from MS would have been appreciated.

    I'm curious if it was solved for others as well?