Overview
This article explains the AADSTS53003 error encountered when using DUO MFA with Microsoft Entra ID (formerly Azure AD) under Conditional Access policies. The issue stems from policy configuration in Entra ID and how it interacts with DUO’s custom control mechanism. This is not related to infrastructure or service functionality on the Timus Networks side.
Symptoms
AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.
This error means Microsoft Entra is enforcing a Conditional Access (CA) policy that blocks token issuance due to unmet conditions (e.g. MFA, device compliance, IP location).
Root Causes
- Use of the
commonendpoint instead of a tenant-specific endpoint. - CA policy requiring MFA not satisfied by DUO’s Custom Control.
- Policy applies to user or service principal with no exclusions defined.
How to Diagnose
- Log in to Microsoft Entra ID > Sign-in Logs.
- Locate the failed login attempt with the
AADSTS53003error. - Open the sign-in log and view the Conditional Access tab.
- Identify which policy blocked the token issuance and why.
How to Resolve
-
Use your tenant ID, not "common":
Replacehttps://login.microsoftonline.com/commonwithhttps://login.microsoftonline.com/<your-tenant-id>.
[Microsoft Answers] -
Adjust Conditional Access policies:
- Exclude the affected user, group, or service principal from the blocking policy.
- Loosen conditions (e.g. allow external MFA, accept custom controls).
[Stack Overflow] | [Sync365] -
Understand DUO limitations:
- DUO Custom Control does not satisfy Microsoft’s native MFA claim requirement.
- If strict MFA enforcement is needed, use DUO with AD FS or DUO SSO for federation-based authentication.
[DUO Docs]
Important Notice
No action can be taken on the Timus Networks side to resolve this issue. This is not a service-level problem, but rather a result of how Conditional Access evaluates the token request in combination with DUO’s authentication method.
To clarify: This issue must be addressed jointly by your internal Entra ID administrators and DUO MFA configuration. The enforcement behavior and token issuance logic are fully governed by Microsoft Entra and how it recognizes external MFA solutions. Timus Networks has no control or authority to override these decisions.
References
- Microsoft Answers – AADSTS53003 using 'common' endpoint
- Stack Overflow – Conditional Access blocking token
- Sync365 – Troubleshooting Conditional Access
- DUO Docs – Azure Conditional Access Integration
Updated
Comments
0 comments
Please sign in to leave a comment.