Symptoms
In attempt to retrieve Office 365 GRAPH API token for synchronization or readCSPAccounts.py
script the following error appears:
Error: AADSTS53003: Blocked by conditional access.
Cause
Conditional Access feature is enabled for the end customer account in Azure Active Directory
. Request #APSA-21007 for documentation improvment was submitted to our Developers.
Resolution
In order to resolve the issue, it is required to exclude users with
Global Administrator
role from the existing blocking rules:Conditional access in
Azure Active Directory
can be managed by the following way:Conditional Access - Policies > Policy1 > Users and Groups > Directory roles tick > Exclude or do not include "Global Administrator" role.
Additional information regarding conditional access can be found by link .
There is a feature request #APSA-20120 "Improve subscriptions management with revoked DAP" which is aimed to give customized access to customers with advanced security policies.
- In case of restriction policy for location is configured, it is required to generate token for the instance from the location where vendor's customers are placed. In other words, refresh token bound to location where it was generated.
Please use the aforementioned IDs to follow up status of the request with your Technical Account Manager