Events
Apr 9, 3 PM - Apr 10, 12 PM
Code the Future with AI and connect with Java peers and experts at JDConf 2025.
Register NowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Use this article to troubleshoot unexpected sign-in outcomes related to Conditional Access using error messages and Microsoft Entra sign-in logs.
The Conditional Access framework provides great configuration flexibility. However, great flexibility also means that you should carefully review each configuration policy before releasing it to avoid undesirable results. In this context, pay special attention to assignments affecting complete sets such as all users / groups / cloud apps.
Organizations should avoid the following configurations:
For all users, all resources:
For all users, all resources, all device platforms:
Review the error message that appears. For problems signing in when using a web browser, the error page itself has detailed information. This information alone might describe the problem and suggest a solution.
In the above error, the message states that the application can only be accessed from devices or client applications that meet the company's mobile device management policy. In this case, the application and device don't meet the policy.
The second method to get detailed information about the sign-in interruption is to review the Microsoft Entra sign-in events to see which Conditional Access policy or policies were applied and why.
More information can be found about the problem by clicking More Details in the initial error page. Clicking More Details reveals troubleshooting information that is helpful when searching the Microsoft Entra sign-in events for the specific failure event the user saw or when opening a support incident with Microsoft.
To find out which Conditional Access policy or policies applied and why, follow these steps.
Sign in to the Microsoft Entra admin center as at least a Reports Reader.
Browse to Identity > Monitoring & health > Sign-in logs.
Find the event for the sign-in to review. Add or remove filters and columns to filter out unnecessary information.
After finding the sign-in event that corresponds to the user's sign-in failure, select the Conditional Access tab. The Conditional Access tab shows the specific policy or policies that resulted in the sign-in interruption.
Selecting the ellipsis on the right side of the policy in a sign-in event brings up policy details. This option gives administrators additional information about why a policy was successfully applied or not.
The left side provides details collected at sign-in and the right side provides details of whether those details satisfy the requirements of the applied Conditional Access policies. Conditional Access policies only apply when all conditions are satisfied or not configured.
If the information in the event isn't enough to understand the sign-in results or adjust the policy to get desired results, use the sign-in diagnostic tool. The sign-in diagnostic is under Basic info > Troubleshoot Event. For more information about the sign-in diagnostic, see What is the sign-in diagnostic in Microsoft Entra ID. You can also use the What If tool to troubleshoot Conditional Access policies.
If you need to submit a support incident, provide the request ID and time and date from the sign-in event in the incident submission details. This information allows Microsoft support to find the specific event you're concerned about.
Sign-in Error Code | Error String |
---|---|
53000 | DeviceNotCompliant |
53001 | DeviceNotDomainJoined |
53002 | ApplicationUsedIsNotAnApprovedApp |
53003 | BlockedByConditionalAccess |
53004 | ProofUpBlockedDueToRisk |
More information about error codes can be found in the article Microsoft Entra authentication and authorization error codes. Error codes in the list appear with a prefix of AADSTS
followed by the code seen in the browser, for example AADSTS53002
.
In some scenarios, users are blocked because cloud apps depend on resources blocked by Conditional Access policy.
To determine the service dependency, check the sign-in log for the application and resource called by the sign-in. In the following screenshot, the application called is Azure Portal but the resource called is Windows Azure Service Management API. To target this scenario appropriately all the applications and resources should be similarly combined in Conditional Access policy.
If you're locked out due to an incorrect setting in a Conditional Access policy:
Events
Apr 9, 3 PM - Apr 10, 12 PM
Code the Future with AI and connect with Java peers and experts at JDConf 2025.
Register NowTraining
Module
Plan, implement, and administer Conditional Access - Training
Conditional Access gives a fine granularity of control over which users can do specific activities, access which resources, and how to ensure data and systems are safe.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.