Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article discusses scenarios where the AADSTS530004 error occurs when a guest user accesses an application or resource in a resource tenant and provides solutions.
Symptoms
When a guest user tries to access an application or resource in a resource tenant, the sign-in process fails, and the following error message is displayed:
AADSTS530004: AcceptCompliantDevice setting isn't configured for this organization. The administrator needs to configure this setting to allow external user access to protected resources.
Additionally, when an administrator reviews the sign-in logs in the home tenant, the same error code is displayed.
Scenario 1: Conditional Access policy for compliant devices
When a Conditional Access policy in the resource tenant is set with the Require device to be marked as compliant control and the policy is applied to guest users, the AADSTS530004 error can occur.
To resolve the error, follow these steps:
Create a Cross Tenant Access Policy (XTAP) policy with the Trust compliant devices setting in the user's home tenant.
Ensure that the guest user's device is authenticated.
Device authentication might fail under some conditions. For more information, see Device authentication fails.
Ensure that the guest user's device is joined to Microsoft Intune or supported mobile device management (MDM) solutions in the home tenant and is compliant.
Note
Several third-party device compliance partners are supported for integration with Microsoft Intune. For more information, see Support third-party device compliance partners in Intune. For more information about configuring Intune device compliance, see Monitor results of your Intune Device compliance policies.
Scenario 2: Conditional Access policy for hybrid-joined devices
When a Conditional Access policy in the resource tenant is set with the Require Microsoft Entra hybrid joined device control and the policy is applied to guest users, the error can occur.
To resolve the error, follow these steps:
Create an XTAP policy with the Trust Microsoft Entra hybrid joined devices setting in the user's home tenant.
Ensure that the guest user's device is authenticated.
Device authentication might fail under some conditions. For more information, see Device authentication fails.
Ensure that the guest user's device is Microsoft Entra hybrid joined in the home tenant.
Scenario 3: Conditional Access policy for approved client apps
When a Conditional Access policy in the resource tenant is configured with the Require approved client app control and the policy is applied to guest users, the error can occur.
This scenario isn't supported. To resolve the error, don't apply this control to guest users.
Device authentication fails
Device authentication might fail under one of the following conditions:
When accessing using a browser in InPrivate or Incognito mode.
When using unsupported browsers or devices, particularly on mobiles.
When browser cookies are disabled.
When a desktop or native application doesn't support device authentication or doesn't use Microsoft Authentication Broker.
For more information about Microsoft Authentication Broker on different device platforms, see the following pages:
For more information on supported device platforms, see Microsoft Entra Conditional Access - Device platforms.
To verify whether the device claim is sent, review the sign-in logs for the failed or successful user in the resource tenant:
- Navigate to the sign-in logs for the user and locate the relevant failure or success event.
- Under the Device Info section, check the Join type field. This field indicates the device claim that was passed.
AADSTS error code reference
For a full list of authentication and authorization error codes, see Microsoft Entra authentication and authorization error codes. To investigate individual errors, search at https://login.microsoftonline.com/error.
Contact us for help
If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.