Why you might see error AADSTS53003: Access blocked by Conditional Access policies

When using our app you may occasionally see an error that looks like this:

AADSTS53003: Access has been blocked by Conditional Access policies.
The access policy does not allow token issuance.
2025-08-25 11:29:20Z UTC

This error does not come from our app, but directly from Microsoft Entra ID (formerly Azure AD).
It means that a Conditional Access (CA) policy in your organization is preventing Microsoft from issuing a new access token. This usually happens during token refresh, when our app silently requests a new token in the background.

Common causes

Conditional Access policies are defined by your IT administrators. Typical rules that can block token refresh include:

  • Location restrictions (only certain IP ranges/regions are allowed)
  • Device requirements (e.g. only compliant or domain-joined devices)
  • Session controls such as sign-in frequency (forcing re-authentication)
  • Token protection or advanced security settings

How to resolve this in Microsoft Entra ID

If re-signing into the app does not resolve the issue, your Microsoft Entra administrator will need to review and possibly adjust the Conditional Access policies.

Step 1 – Open the sign-in logs

  1. Go to the Azure Portal: https://portal.azure.com
  2. Navigate to Microsoft Entra ID → Sign-in logs
  3. Switch to the Non-interactive / Token issuance tab (these logs show background requests like token refresh)

Step 2 – Find the blocked request

  • Use the Timestamp from the error message.
  • This lets you jump directly to the failed request.
  • Open the details of the event.

Step 3 – Identify the blocking policy

  • In the event details, look under Conditional Access.
  • You’ll see a list of applied policies and whether they resulted in “grant” or “block”.
  • Note down the specific policy that blocked the request.

Step 4 – Adjust the policy

Depending on the policy type, your admin may:

  • Exclude the app/service account from the specific policy (best practice: create a security group for “service apps” and exclude it)
  • Allow trusted locations (e.g. if the refresh comes from a cloud service outside your corporate IP range, add that range as a “Named location”)
  • Relax session/sign-in frequency controls if refresh tokens are expiring too quickly
  • Remove device compliance requirements for this app, since server-side apps usually don’t run on Intune-compliant devices

Step 5 – Test again

  • After changes are applied, sign in again and check if the error persists.
  • If it does, repeat the steps with the new Timestamp to see if another policy is blocking access.

Summary

Error AADSTS53003 is a security policy decision inside your Microsoft tenant. To resolve it, your IT team must review the sign-in logs in Entra ID, identify the blocking Conditional Access policy, and adjust it so that our app is allowed to refresh tokens.

If you need help, please contact us.