Share via

ClientCertificateCredential authentication failed: AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

Chaitra Shivanand Kulkarni (INFOSYS LIMITED) 45 Reputation points Microsoft Vendor
2024-05-08T02:59:48.7466667+00:00

I am trying to authenticate locally without client_secret to another app deployed in azure. I have uploaded a certificate which is also present in the keyvault to app registration.

Here is the error i see

ClientCertificateCredential authentication failed: AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. Trace ID: 5cd30399-cc52-4cb5-a05f-766b8a9abd00 Correlation ID: a519dfdb-10b3-48f8-9450-b2b242a29acf Timestamp: 2024-05-08 01:57:30Z The returned error contains a claims challenge. For additional info on how to handle claims related to multifactor authentication, Conditional Access, and incremental consent, see [https://aka.ms/msal-conditional-access-claims]. If you are using the On-Behalf-Of flow, see [https://aka.ms/msal-conditional-access-claims-obo] for details.

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
using System;
using System.Security.Cryptography.X509Certificates;

var keyVaultUrl = new Uri(key-vault-url);
var certificateName = "certificate-name";

var credential = new DefaultAzureCredential();

var secretClient = new SecretClient(keyVaultUrl, credential);
var secret = await secretClient.GetSecretAsync(certificateName);

var certificateBytes = Convert.FromBase64String(secret.Value.Value);
var certificate = new X509Certificate2(certificateBytes);

var clientCertificateCredential = new ClientCertificateCredential(tenant-id, client-id, certificate);

var token = await clientCertificateCredential.GetTokenAsync(new TokenRequestContext(new[] { resourceUrl }));

Console.WriteLine($"Access Token: {token.Token}");
Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,151 questions
0 comments
Accepted answer
  1. Akhilesh 5,800 Reputation points Microsoft Vendor
    2024-05-10T14:37:39.3933333+00:00

    Hi @Chaitra Shivanand Kulkarni (INFOSYS LIMITED)

    Thank you for post!

    The error message indicates that the access policy does not allow token issuance. This can happen when a user or application tries to access a resource that is protected by a Conditional Access policy, but the policy conditions aren't met. An admin might have set certain Conditional Access policies. You may contact the admin in your tenant to confirm what criteria you have met and adjust to avoid from being blocked.
    To know for certain what is being blocked, you will need to gather more details.

    Under Microsoft Entra ID > Sign-in logs , you can select the failed sign-in log and view the Conditional Access tab to get more details about why the Conditional Access conditions were not met and which policies applied

    ca1

    Then if you select the policy details you should be able to see which conditions applied.

    If you still do not see enough information to isolate the issue, please let me know.

    Reference: Troubleshooting sign-in problems with Conditional Access

    Hope this helps. Do let us know if you any further queries.

    Thanks,
    Akhilesh.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest