AADSTS53003 – Access Blocked by Conditional Access Policy

Modified on Mon, 14 Apr at 12:16 AM

Error: AADSTS53003 – Access has been blocked by Conditional Access policies. The policy does not allow token issuance.

This error occurs when a Conditional Access policy in the customer tenant blocks access to the Sync 365 service principal or delegated admin account.


Cause: The customer tenant has a policy that restricts access from external users or apps — including those used by Sync 365 — and hasn’t excluded the appropriate accounts or service principals.

Resolution

To fix the issue, adjust the Conditional Access policies in the customer tenant:

  1. Login to the customer’s Microsoft Entra ID portal
  2. Go to Conditional Access → Policies
  3. Identify the policy blocking access in the Sign-in logs
  4. Edit the policy and make the following changes:
    • Exclude: the Sync 365 delegated admin account (under “Service provider users”)
    • Exclude: the Sync 365 License service principal (optional but recommended)

More guidance:

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article