AADSTS53003 – Access Blocked by Conditional Access Policy
Error: AADSTS53003 – Access has been blocked by Conditional Access policies. The policy does not allow token issuance.
This error occurs when a Conditional Access policy in the customer tenant blocks access to the Sync 365 service principal or delegated admin account.
Cause: The customer tenant has a policy that restricts access from external users or apps — including those used by Sync 365 — and hasn’t excluded the appropriate accounts or service principals.
How to Identify the Policy
- Login to the customer's Azure portal
- Open Microsoft Entra ID (Azure AD)
- Go to Users → Sign-in logs
- Select User sign-ins (non-interactive)
- Filter by application name "Sync 365 License"
- Click into the failed sign-in
- Click Conditional Access policy to see any applied.
- Look for one with a Blocked Result to find the one that is blocking it.
Resolution
To fix the issue, adjust the Conditional Access policies in the customer tenant:
- Login to the customer’s Microsoft Entra ID portal
- Go to Conditional Access → Policies
- Identify the policy blocking access in the Sign-in logs
- Edit the policy and make the following changes:
- In the Users section, click Exclude → select "Service provider users"
- All: excludes all service providers with tenant relationships
- Select: allows you to specify specific tenant IDs — be sure to enter your tenant ID
- Save the policy and retry the connection in Sync 365
More guidance:
Related Articles
AADSTS53000: Device is not in required device state: compliant. Conditional Access policy requires a compliant device, and the device is not compliant. The user must enroll their device with an approved MDM provider like Intune
Error: AADSTS53000: Device is not in required device state: compliant. Conditional Access policy requires a compliant device, and the device is not compliant. The user must enroll their device with an approved MDM provider like Intune If you’ve ...AADSTS530034 / AADSTS530032 – Delegated Admin Blocked Due to Risk
Error: AADSTS530034 / AADSTS530032 – Delegated administrator or user blocked due to risk This error occurs when Microsoft flags the delegated admin account as a risky user, or when security defaults block access unexpectedly. Cause: Risky user ...AADSTS50078 – MFA Expired Due to Admin Policy
Error: AADSTS50078 – Presented MFA has expired due to policies configured by your administrator This error usually appears when a delegated admin account’s MFA configuration has changed — for example, when MFA was turned off, reset, or conditional ...AADSTS530004 – Device Compliance Setting Missing
If you’ve received error AADSTS530004: AcceptCompliantDevice setting isn't configured for this organization, it means the tenant has a conditional access policy that only allows compliant devices — and the service provider account is not treated as ...Access Denied – Caller Lacks Valid Entra Role
Error: Access Denied – Caller should have a valid Entra role This error means the account making the request is not assigned any valid role in Microsoft Entra ID (formerly Azure AD) within the customer tenant — often due to GDAP misconfiguration. ...