Error: AADSTS53003 – Access has been blocked by Conditional Access policies. The policy does not allow token issuance.
This error occurs when a Conditional Access policy in the customer tenant blocks access to the Sync 365 service principal or delegated admin account.
Cause: The customer tenant has a policy that restricts access from external users or apps — including those used by Sync 365 — and hasn’t excluded the appropriate accounts or service principals.
Resolution
To fix the issue, adjust the Conditional Access policies in the customer tenant:
- Login to the customer’s Microsoft Entra ID portal
- Go to Conditional Access → Policies
- Identify the policy blocking access in the Sign-in logs
- Edit the policy and make the following changes:
- Exclude: the Sync 365 delegated admin account (under “Service provider users”)
- Exclude: the Sync 365 License service principal (optional but recommended)
More guidance:
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article