AADSTS53003 – Access Blocked by Conditional Access Policy
Error: AADSTS53003 – Access has been blocked by Conditional Access policies. The policy does not allow token issuance.
This error occurs when a Conditional Access policy in the customer tenant blocks access to the Sync 365 service principal or delegated admin account.
Cause: The customer tenant has a policy that restricts access from external users or apps — including those used by Sync 365 — and hasn’t excluded the appropriate accounts or service principals.
How to Identify the Policy
- Login to the customer's Azure portal
- Open Microsoft Entra ID (Azure AD)
- Go to Users → Sign-in logs
- Select User sign-ins (non-interactive)
- Filter by application name "Sync 365 License"

- Click into the failed sign-in
- Click Conditional Access policy to see any applied.

- Look for one with a Blocked Result to find the one that is blocking it.
Resolution
To fix the issue, adjust the Conditional Access policies in the customer tenant:
- Login to the customer’s Microsoft Entra ID portal
- Go to Conditional Access → Policies
- Identify the policy blocking access in the Sign-in logs
Edit the policy and make the following changes:
In the Users section, click Exclude → select "Service provider users"
All: excludes all service providers with tenant relationships
Select: allows you to specify specific tenant IDs — be sure to enter your tenant ID
Save the policy and retry the connection in Sync 365
More guidance:
Related Articles
AADSTS53000: Device is not in required device state: compliant. Conditional Access policy requires a compliant device, and the device is not compliant. The user must enroll their device with an approved MDM provider like Intune
Error: AADSTS53000: Device is not in required device state: compliant. Conditional Access policy requires a compliant device, and the device is not compliant. The user must enroll their device with an approved MDM provider like Intune If you’ve ...
AADSTS530034 / AADSTS530032 – Delegated Admin Blocked Due to Risk
Error: AADSTS530034 / AADSTS530032 – Delegated administrator or user blocked due to risk This error occurs when Microsoft flags the delegated admin account as a risky user, or when security defaults block access unexpectedly. Cause: Risky user ...
AADSTS50078 – MFA Expired Due to Admin Policy
Error: AADSTS50078 – Presented MFA has expired due to policies configured by your administrator This error usually appears when a delegated admin account’s MFA configuration has changed — for example, when MFA was turned off, reset, or conditional ...
AADSTS530004 – Device Compliance Setting Missing
If you’ve received error AADSTS530004: AcceptCompliantDevice setting isn't configured for this organization, it means the tenant has a conditional access policy that only allows compliant devices — and the service provider account is not treated as ...
AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication
Error: AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access This can typically be caused by a conditional access policy in your ...