Search Engine: Elastic

Article ID: 133813, created on Mar 7, 2019, last review on Apr 18, 2019

  • Applies to:
  • Operations Automation 8.0
  • Operations Automation 7.2
  • Operations Automation 7.3
  • Operations Automation 7.4

Symptoms

In attempt to retrieve Office 365 GRAPH API token for synchronization or readCSPAccounts.py script the following error appears:

Error: AADSTS53003: Blocked by conditional access.

Cause

Conditional Access feature is enabled for the end customer account in Azure Active Directory. Request #APSA-21007 for documentation improvment was submitted to our Developers.

Resolution

  1. In order to resolve the issue, it is required to exclude users with Global Administrator role from the existing blocking rules:

    Conditional access in Azure Active Directory can be managed by the following way:

    Conditional Access - Policies > Policy1 > Users and Groups > Directory roles tick > Exclude or do not include "Global Administrator" role.
    

    Additional information regarding conditional access can be found by link .

    There is a feature request #APSA-20120 "Improve subscriptions management with revoked DAP" which is aimed to give customized access to customers with advanced security policies.

  2. In case of restriction policy for location is configured, it is required to generate token for the instance from the location where vendor's customers are placed. In other words, refresh token bound to location where it was generated.

Please use the aforementioned IDs to follow up status of the request with your Technical Account Manager

55fe109b4b4fe3fbb893f22dbb85a41a 8fc71f07abe5b233fea1ae0377cd5e3d 5356b422f65bdad1c3e9edca5d74a1ae 1941880841f714e458ae4dc3d9f3062d dd79f16c76b9dca75205ab5e9f5465ea 31987597efff5a3a9ce779cc203bbe5e adc6deaa66054d8a194d131ba07f2785 aab95f5cf9bcfa920cc1dda8487f084a

Email subscription for changes to this article
Save as PDF