AADSTS53003 – Access Blocked by Conditional Access Policy

Error: AADSTS53003 – Access has been blocked by Conditional Access policies. The policy does not allow token issuance.

This error occurs when a Conditional Access policy in the customer tenant blocks access to the Sync 365 service principal or delegated admin account.

Cause: The customer tenant has a policy that restricts access from external users or apps — including those used by Sync 365 — and hasn’t excluded the appropriate accounts or service principals.

Resolution

To fix the issue, exclude the service provider (yourself) from ALL the Conditional Access policies in the customer tenant:

1. Login to the customer’s Microsoft Entra ID portal
2. Go to Conditional Access → Policies
3. For each conditional access policy add an exclusion to "Users and Groups"
   1. Select: Guest or external users > Service provider users > Enter your partner tenant ID.
      1. You can potentially exclude the specific account being used with Sync 365 instead. 
      2. Exclude: the Sync 365 delegated admin account (under “Service provider users”)
   2. Save the policy.

More guidance:

• Conditional Access Policies – Sync 365 Recommendation
• Microsoft GDAP FAQ