if you want to remove an article from website contact us from top.

    access has been blocked by conditional access policies. the access policy does not allow token issuance.

    James

    Guys, does anyone know the answer?

    get access has been blocked by conditional access policies. the access policy does not allow token issuance. from EN Bilgi.

    Access has been blocked by Conditional Access policies when using device code flow

    Understand why device code flow doesn’t always work with Azure AD Conditional Access based on your configuration.

    Access has been blocked by Conditional Access policies when using device code flow

    3 minute read

    When using device code authentication for PowerShell modules with conditional access you might receive prompts like: “Access has been blocked by Conditional Access policies. The access policy does not allow token issuance” or “AADSTS50097: Device authentication is required”. But what’s the reason for this error and is there a solution available?

    Examples from the field

    Permalink

    Device code flow is quite a convenient way to sign-in for an app within the web browser - at least if it works. If not you have to consider other options and that’s probably the reason why you’re reading this blog article.

    Az PowerShell

    Running the Az PowerShell module on PowerShell 7 uses device code flow to authenticate against your Azure tenant and might fail:

    Connect-AzAccount: AADSTS50097: Device authentication is required.

    Timestamp: 2020-08-17 13:36:31Z: Response status code does not indicate success: 401 (Unauthorized).

    The sign-in to Azure is tied to the “Microsoft Azure Management” app that you can select within Conditional Access.

    Microsoft Graph PowerShell

    The same applies for the new Microsoft.Graph PowerShell modules - but here we receive a more detailed error message:

    Connect-Graph: AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

    Timestamp: 2020-08-17 13:37:12Z

    The sign-in to the new Microsoft Graph Modules is tied to the “Microsoft Graph PowerShell (Preview)” app and some more apps I couldn’t determine.

    Possible cause

    Permalink

    You will experience issues with device code flow if one or more conditions apply to your conditional access configuration:

    Unknown client app is blocked

    Device-based conditional access rule in place

    Require compliant device

    Require hybrid Azure AD joined device

    If we have a closer look on the OAuth 2.0 device code flow and possible usage you will notice that the sign-in with the device code flow could be completed on another device like a smartphone or a computer than the device which initially initiated the sign-in / authorization process:

    Original image is from Microsoft

    So it’s by design that the device code flow cannot satisfy any device-based conditional access rules. Furthermore, device code flow falls into the “Unknown” client application section. The Azure AD identity platform simply doesn’t know if you’re signin-in for an app on your smart TV, IOT device or within PowerShell and about the device state.

    Possible solutions

    Permalink

    Of course workarounds exist to modify the Conditional Access configuration. But I wouldn’t recommend this because this affects your security posture - if you take the risk you could exclude the “Microsoft Azure Management” from your Conditional Access policy which blocks unknown clients / requires device state and still protect the sign-in with MFA.

    A better approach is to use another OAuth 2.0 and OpenID connect flow like the delegated flow where you sign-in directly within the app. But that’s not always possible and limited by the support of the PowerShell module (Az modules currently do not support this).

    Another workaround is to use an app registration (service principal) with client credentials like a certificate. Although this also comes with drawbacks in the area of security and maintainability based on the permissions you assign to the app.

    To summarize you have the following options for the Az PowerShell module:

    Device Based Conditional Access and/or unknown client platforms blocked settings in place

    If you’re on PowerShell 7 -> Use a service principal

    If you’re on PowerShell 5.1 -> Sign-in should work as expected

    Final words

    Permalink

    So finger’s crossed that Microsoft will implement this one within their PowerShell modules and not only relies on options for device code flow and unattended access with app registrations (client credentials grant).

    If you haven’t checked out I can recommend you the Microsoft Identity Platform overview for OAuth 2.0 and OpenID Connect flows:

    OAuth 2.0 and OpenID Connect protocols on Microsoft identity platform

    Twitter Facebook LinkedIn

    Source : tech.nicolonsky.ch

    azure

    I'm trying to send an email with smtp from yii2 application but it fails giving this error in admin portal: Access has been blocked by Conditional Access policies. The access policy does not allow ...

    office 365 Access has been blocked by Conditional Access policies. The access policy does not allow token issuance

    Ask Question Asked 3 months ago

    Modified 3 months ago

    Viewed 4k times 0

    I'm trying to send an email with smtp from yii2 application but it fails giving this error in admin portal: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

    How can I solve this issue?

    azure yii2

    azure-active-directory

    office365 Share

    asked Jan 16 at 14:24

    z1234 631 1 silver badge 7 7 bronze badges Add a comment

    1 Answer

    0

    Its very common for administrators to disable anything but "Modern Authentication" on Azure/Office365. This will prevent using username/password for authenticating with the Office365 SMTP service.

    Instead you need to authenticate to the SMTP service using OAuth2 https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth

    Share

    answered Jan 17 at 7:39

    Nisd 9427 7 silver badges 18 18 bronze badges Add a comment

    Not the answer you're looking for? Browse other questions tagged azure yii2 azure-active-directory office365 or ask your own question.

    The Overflow Blog

    Episode 436: Meet the design system that lets us customize and theme Stack...

    Underscoring (or dunder-scoring) the importance of native type methods in...

    Featured on Meta

    How might the Staging Ground & the new Ask Wizard work on the Stack Exchange...

    Question Close Reasons project - Introduction and Feedback

    An A/B test has gone live for a "Trending" sort option for answers

    Should we burninate the [qa] tag?

    Overhauling our community's closure reasons and guidance

    Related

    1

    Redirect has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header

    1

    Getting error for users "AADSTS90093: Does not have access to consent." after admin has granted consent

    2

    Azure Conditional Access not applying to token acquisition requests?

    5

    How to fix - Access to fetch at 'https://login.windows.net......' has been blocked by CORS policy - when logging back in

    1

    Conditional Access Policy does not affect MSAL app - user not asked to reauthenticate

    0

    OAuth refresh_token call from Azure App Service returns Bad request

    Hot Network Questions

    How do I uninstall Pterodactyl Panel?

    Dealing with Symmetry. Commercial solver defaults vs manual implementations

    How does one use a noun from a verb?

    First-person perspective in master's thesis acknowledgements

    Two men traveling through desert with sheep, older one holds water in mouth to reduce thirst and blows tobacco on sheep to remove ticks

    Why does the default base64 encoding use forward slash /?

    Does it matter that Bachelier IV differs from BS IV for a given option price?

    How can I withdraw a published paper?

    Is DMCA takedown applicable for MIT License?

    more hot questions Question feed

    Source : stackoverflow.com

    "Access has been blocked by conditional access policies" when trying to log in to SQL Server

    Microsoft Q&A is the best place to get answers to all your technical questions on Microsoft products and services. Community. Forum.

    We use optional cookies to improve your experience on our websites, such as through social media connections, and to display personalized advertising based on your online activity. If you reject optional cookies, only cookies necessary to provide you the services will be used. You may change your selection by clicking “Manage Cookies” at the bottom of the page. Privacy Statement Third-Party Cookies

    Microsoft Build

    May 24-26, 2022 Register now

    Question

    1 Vote" 1

    JulianKeller-0231 asked • Nov 30 2021 at 10:47 PM | GeethaThatipatri-MSFT commented • Dec 08 2021 at 6:28 PM

    "Access has been blocked by conditional access policies" when trying to log in to SQL Server

    A new user has been set up to access SQL server, but when they try to log in, they get the following error "AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance...."

    Refer attached153807-access-has-been-blocked-error.pdf

    azure-sql-database

    access-has-been-blocked-error.pdf (44.5 KiB)

    1 Answer

    1 Vote" 1

    ErolElcan-7862 answered • Dec 01 2021 at 12:17 AM | GeethaThatipatri-MSFT commented • Dec 08 2021 at 6:28 PM

    BEST ANSWER ACCEPTED ANSWER Hi Julian,

    You can trace the login events on AAD.

    Visit https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview

    Search user by typing into the search box and click on user's name

    Click Sign-in logs under the activity

    Click on failed even on the list

    Select Conditional access tab to see which policy has been applied

    Once you have find the policy, go back to https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview and click on Security. Then Conditional access link https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies

    Click on policy name and click on Users or workload identities link.

    Click on Exclude and search for the user and add user by clicking on user's name

    Save and retry image.png (1.3 KiB) · 2

    SaurabhSharma-msft · Dec 01 2021 at 7:00 PM

    Hi @juliankeller-0231,

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

    Thanks Saurabh 1 Vote 1 ·

    GeethaThatipatri-MSFT SaurabhSharma-msft · Dec 08 2021 at 6:28 PM

    Hi @juliankeller-0231,

    Did you have the chance to check the above @ErolElcan-7862 reply, Please let us know if you are still facing the same issue?

    Thanks Geetha 0 Votes 0 ·

    QUESTION DETAILS

    10 people are following this question.

    Answers

    Subscribe to Answers

    Answers And Comments

    Subscribe to Comments and Answers

    RELATED QUESTIONS

    Which are the most common performance challenges with Microsoft Azure SQL?

    How to Generate Primary Key and store in AAD Token for Future Sessions?

    Azure SQL Managed Instance - Error while connecting to Analysis Service - "The OLE DB provider "MSOLAP" has not been registered"

    Can you recommend the best/simplest way to regularly audit the IP Address Whitelists of the following Azure Resources: API Gateway, Storage Account, Function App, SQL Server/DBs

    Azure Questions.

    Source : docs.microsoft.com

    Do you want to see answer or more ?
    James 5 month ago
    4

    Guys, does anyone know the answer?

    Click For Answer