Users signing in to Microsoft 365 or Azure services may see "Your sign-in was successful but does not meet the criteria to access this resource" or error code AADSTS53003. Authentication succeeds, but Conditional Access policies block access to the application or resource.
Resolution
Method 1: Identify the Blocking Policy
Open the Microsoft Entra admin center and go to Monitoring > Sign-ins. Filter by the affected username and date, then find the failed sign-in. Click the entry and select the Conditional Access tab. Any policy with a "Failure" status and a Grant control of "Block" is causing the issue.
After identifying the policy, go to Security > Conditional Access and open it. Review the Assignments to confirm the user should be blocked. If they require access, exclude them:
1. Create a security group like "CA-Policy-Exclusions".
2. Add the affected users to this group.
3. In the policy, go to Assignments > Users and groups > Exclude.
4. Select the exclusion group and save.
If That Doesn't Work: Resolve Device Compliance Issues
If the sign-in logs show "Require device to be marked as compliant" or error AADSTS53000, the device is not enrolled in Intune or does not meet compliance rules.
For end users: Install the Company Portal app, sign in with work credentials, and enroll the device. Wait 15-30 minutes for compliance policies to apply.
For admins, check device compliance status:
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All"
Get-MgDeviceManagementManagedDevice -Filter "userPrincipalName eq 'user@contoso.com'" | Select-Object deviceName, operatingSystem, complianceStateReview Intune compliance policies to ensure requirements are correct and attainable.
If That Doesn't Work: Check Hybrid Azure AD Join
Error AADSTS53001 means the policy requires a hybrid Azure AD joined device. On the affected device, open an elevated command prompt and run:
dsregcmd /statusLook for both AzureAdJoined : YES and DomainJoined : YES. If either is NO, the device needs hybrid join configured via Azure AD Connect and Group Policy.
If That Doesn't Work: Review Approved Client App Requirements
Errors AADSTS53002 or AADSTS53009 indicate the policy requires approved client apps or app protection policies. Sign-ins from browsers, legacy protocols, or unapproved third-party apps will be blocked.
Solution: Use approved Microsoft apps (Outlook mobile, Edge with work profile) or modify the policy to remove the "Require approved client app" grant control for the affected users.
If That Doesn't Work: Check Named Location Configuration
If users are connecting from new IP addresses, location-based policies may block them. Check Security > Conditional Access > Named locations and verify:
- Corporate IP ranges are correctly defined as trusted locations.
- VPN or proxy IPs are included.
- Country/region restrictions are not blocking legitimate access.
Add missing IP ranges as trusted named locations and update the relevant policies.
If That Doesn't Work: Review Authentication Flow Restrictions
Some policies block specific authentication flows like device code flow or legacy authentication. Users may need to sign in using a different method (like an interactive browser with MFA), or the policy scope must be adjusted to allow the required flow.
Verification
After applying changes, have the user sign in again. Check the Sign-ins log in the Entra admin center. Successful sign-ins will show "Success" status, with all Conditional Access policies showing "Success" or "Not applied". The Conditional Access tab should show no policies with a "Failure" status.
For device compliance fixes, verify the device shows as compliant in Entra admin center > Devices > All devices before testing.
Always exclude at least one Global Administrator account from restrictive Conditional Access policies to prevent tenant lockout. Test policy changes with a pilot group before wide deployment.