AADSTS530034 / AADSTS530032 - Delegated Admin Blocked

AADSTS530034 / AADSTS530032 – Delegated Admin Blocked Due to Risk

Error: AADSTS530034 / AADSTS530032 – Delegated administrator or user blocked due to risk

This error occurs when Microsoft flags the delegated admin account as a risky user, or when security defaults block access unexpectedly.


Cause: Risky user detection in your own partner tenant or default security settings in the customer tenant may block delegated access based on conditional access policies.

Resolution

Step 1 – Check for Risky User in Your Tenant

  1. Go to your own tenant’s Microsoft Entra ID (Azure AD)
  2. Navigate to Security → Risky users
  3. If your delegated admin account is listed:
    • Select the account → click Dismiss user risk
    • Note: changes can take up to 24 hours to propagate across Microsoft systems

Step 2 – Check for Security Defaults in the Customer Tenant

  1. Go to the customer’s Microsoft Entra ID portal
  2. Navigate to Properties → Manage security defaults
  3. Turn off security defaults if not intentionally used

For tighter control, replace security defaults with targeted Conditional Access Policies.

    • Related Articles

    • AADSTS50078 – MFA Expired Due to Admin Policy

      Error: AADSTS50078 – Presented MFA has expired due to policies configured by your administrator This error usually appears when a delegated admin account’s MFA configuration has changed — for example, when MFA was turned off, reset, or conditional ...

    • AADSTS53003 – Access Blocked by Conditional Access Policy

      Error: AADSTS53003 – Access has been blocked by Conditional Access policies. The policy does not allow token issuance. This error occurs when a Conditional Access policy in the customer tenant blocks access to the Sync 365 service principal or ...

    • AADSTS50076 – MFA Required Due to Location or Policy Change

      Error: AADSTS50076 – Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access This error is raised when Microsoft detects a change in MFA posture — such as an ...

    • AADSTS50173 - The provided grant has expired due to it being revoked

      Error: AADSTS50173 - The provided grant has expired due to it being revoked This error usually appears when a delegated admin account’s MFA configuration has changed — for example, when MFA was turned off, reset, or conditional access was newly ...

    • AADSTS700082 – Refresh Token Expired Due to Inactivity

      Error: AADSTS700082 – The refresh token has expired due to inactivity This typically occurs when the customer tenant has an MFA setting that allows "remember MFA for X days", which breaks token refresh after extended inactivity. Cause: The “remember ...