AADSTS530034 / AADSTS530032 – Delegated Admin Blocked Due to Risk
Error: AADSTS530034 / AADSTS530032 – Delegated administrator or user blocked due to risk
This error occurs when Microsoft flags the delegated admin account as a risky user, or when security defaults block access unexpectedly.
Cause: Risky user detection in your own partner tenant or default security settings in the customer tenant may block delegated access based on conditional access policies.
Resolution
Step 1 – Check for Risky User in Your Tenant
- Go to your own tenant’s Microsoft Entra ID (Azure AD)
- Navigate to Security → Risky users
- If your delegated admin account is listed:
- Select the account → click Dismiss user risk
- Note: changes can take up to 24 hours to propagate across Microsoft systems
Step 2 – Check for Security Defaults in the Customer Tenant
- Go to the customer’s Microsoft Entra ID portal
- Navigate to Properties → Manage security defaults
- Turn off security defaults if not intentionally used
For tighter control, replace security defaults with targeted Conditional Access Policies.
Related Articles
AADSTS50078 – MFA Expired Due to Admin Policy
Error: AADSTS50078 – Presented MFA has expired due to policies configured by your administrator This error usually appears when a delegated admin account’s MFA configuration has changed — for example, when MFA was turned off, reset, or conditional ...
AADSTS53003 – Access Blocked by Conditional Access Policy
Error: AADSTS53003 – Access has been blocked by Conditional Access policies. The policy does not allow token issuance. This error occurs when a Conditional Access policy in the customer tenant blocks access to the Sync 365 service principal or ...
AADSTS50076 – MFA Required Due to Location or Policy Change
Error: AADSTS50076 – Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access This error is raised when Microsoft detects a change in MFA posture — such as an ...
AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication
Error: AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access This can typically be caused by a conditional access policy in your ...
AADSTS50173 - The provided grant has expired due to it being revoked
Error: AADSTS50173 - The provided grant has expired due to it being revoked This error usually appears when a delegated admin account’s MFA configuration has changed — for example, when MFA was turned off, reset, or conditional access was newly ...