Fix AADSTS53003 Conditional Access Blocked

Outlook error AADSTS53003 means a Conditional Access policy is blocking sign-in. Find the policy and fix device, location, or auth issues.

Outlook shows error AADSTS53003 with "Access has been blocked by Conditional Access policies." A policy is preventing sign-in based on device, location, or other conditions.

The Fix

Step 1: Identify Which Policy

Check sign-in logs to see exactly which policy blocked access:

Entra ID Admin Center > Sign-in logs > Find the failed sign-in > Click it
Look at "Conditional Access" tab - it shows which policy triggered

Step 2: Common Causes and Fixes

Device not compliant:

Enroll device in Intune, or
Check device compliance status in Company Portal app

Location blocked:

User is signing in from untrusted location
Add location to trusted IPs if legitimate

Legacy auth blocked:

Outlook 2013 or older doesn't support modern auth
Upgrade to Outlook 2016+ or use Outlook web

Unmanaged device:

Policy requires managed device
Sign in via browser instead, or enroll device

Step 3: For Service Accounts/Automation

Exclude service accounts from MFA policies:

Conditional Access > [Policy] > Users and Groups > Exclude
Add the service account or create a security group for exclusions

Verify

User can sign in after meeting policy requirements. Document your Conditional Access policies so support staff know what's enforced.

Need help with Conditional Access policies? Contact Rain City Techworks for IT support across the Seattle-Tacoma area.