AADSTS53003 - Access Blocked by Conditional Access

AADSTS53003 – Access Blocked by Conditional Access Policy

Error: AADSTS53003 – Access has been blocked by Conditional Access policies. The policy does not allow token issuance.

This error occurs when a Conditional Access policy in the customer tenant blocks access to the Sync 365 service principal or delegated admin account.


Cause: The customer tenant has a policy that restricts access from external users or apps — including those used by Sync 365 — and hasn’t excluded the appropriate accounts or service principals.

How to Identify the Policy

  • Login to the customer's Azure portal
  • Open Microsoft Entra ID (Azure AD)
  • Go to Users → Sign-in logs
  • Find the sign-in attempt by"<Your company name> Technician"
  • Click into the failed sign-in to see the Conditional Access policy blocking access

Resolution

To fix the issue, adjust the Conditional Access policies in the customer tenant:

  1. Login to the customer’s Microsoft Entra ID portal
  2. Go to Conditional Access → Policies
  3. Identify the policy blocking access in the Sign-in logs
  4. Edit the policy and make the following changes:
    • Exclude: the Sync 365 delegated admin account (under “Service provider users”)
    • Exclude: the Sync 365 License service principal (optional but recommended)

More guidance:

    • Related Articles

    • AADSTS530034 / AADSTS530032 – Delegated Admin Blocked Due to Risk

      Error: AADSTS530034 / AADSTS530032 – Delegated administrator or user blocked due to risk This error occurs when Microsoft flags the delegated admin account as a risky user, or when security defaults block access unexpectedly. Cause: Risky user ...

    • AADSTS50078 – MFA Expired Due to Admin Policy

      Error: AADSTS50078 – Presented MFA has expired due to policies configured by your administrator This error usually appears when a delegated admin account’s MFA configuration has changed — for example, when MFA was turned off, reset, or conditional ...

    • Access Denied – Caller Lacks Valid Entra Role

      Error: Access Denied – Caller should have a valid Entra role This error means the account making the request is not assigned any valid role in Microsoft Entra ID (formerly Azure AD) within the customer tenant — often due to GDAP misconfiguration. ...

    • Authorization Error – Unsupported Token or Access Forbidden

      Error: Authorization Error – Unsupported Token or Access Forbidden When the error is for a specific tenant: This error means that your Sync 365 account does not have the required permissions to connect to the customer tenant. Cause: Your GDAP ...

    • AADSTS50076 – MFA Required Due to Location or Policy Change

      Error: AADSTS50076 – Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access This error is raised when Microsoft detects a change in MFA posture — such as an ...