Conditional Access Policy Blocking Token Issuance with DUO MFA in Entra ID

Overview

This article explains the AADSTS53003 error encountered when using DUO MFA with Microsoft Entra ID (formerly Azure AD) under Conditional Access policies. The issue stems from policy configuration in Entra ID and how it interacts with DUO’s custom control mechanism. This is not related to infrastructure or service functionality on the Timus Networks side.

Symptoms

AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

This error means Microsoft Entra is enforcing a Conditional Access (CA) policy that blocks token issuance due to unmet conditions (e.g. MFA, device compliance, IP location).

Root Causes

  • Use of the common endpoint instead of a tenant-specific endpoint.
  • CA policy requiring MFA not satisfied by DUO’s Custom Control.
  • Policy applies to user or service principal with no exclusions defined.

How to Diagnose

  1. Log in to Microsoft Entra ID > Sign-in Logs.
  2. Locate the failed login attempt with the AADSTS53003 error.
  3. Open the sign-in log and view the Conditional Access tab.
  4. Identify which policy blocked the token issuance and why.

How to Resolve

  • Use your tenant ID, not "common":
    Replace https://login.microsoftonline.com/common with https://login.microsoftonline.com/<your-tenant-id>.
    [Microsoft Answers]
  • Adjust Conditional Access policies:
    - Exclude the affected user, group, or service principal from the blocking policy.
    - Loosen conditions (e.g. allow external MFA, accept custom controls).
    [Stack Overflow] | [Sync365]
  • Understand DUO limitations:
    - DUO Custom Control does not satisfy Microsoft’s native MFA claim requirement.
    - If strict MFA enforcement is needed, use DUO with AD FS or DUO SSO for federation-based authentication.
    [DUO Docs]

Important Notice

No action can be taken on the Timus Networks side to resolve this issue. This is not a service-level problem, but rather a result of how Conditional Access evaluates the token request in combination with DUO’s authentication method.

To clarify: This issue must be addressed jointly by your internal Entra ID administrators and DUO MFA configuration. The enforcement behavior and token issuance logic are fully governed by Microsoft Entra and how it recognizes external MFA solutions. Timus Networks has no control or authority to override these decisions.

References

Updated

Was this article helpful?

1 out of 1 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.