In attempt to retrieve Office 365 GRAPH API token for synchronization or script the following error appears:

Error: AADSTS53003: Blocked by conditional access.


Conditional Access feature is enabled for the end customer account in Azure Active Directory. Request #APSA-21007 for documentation improvment was submitted to our Developers.


  1. In order to resolve the issue, it is required to exclude users with Global Administrator role from the existing blocking rules:

    Conditional access in Azure Active Directory can be managed by the following way:

    Conditional Access - Policies > Policy1 > Users and Groups > Directory roles tick > Exclude or do not include "Global Administrator" role.

    Additional information regarding conditional access can be found by link .

    There is a feature request #APSA-20120 "Improve subscriptions management with revoked DAP" which is aimed to give customized access to customers with advanced security policies.

  2. In case of restriction policy for location is configured, it is required to generate token for the instance from the location where vendor's customers are placed. In other words, refresh token bound to location where it was generated.

Please use the aforementioned IDs to follow up status of the request with your Technical Account Manager

Internal content

Link on internal Article