What causes AADSTS53000?

Conditional Access policy with a 'Require device to be marked as compliant' or 'Require Hybrid Azure AD joined device' grant control. Device is not enrolled in Intune (or another approved MDM) — typical for BYOD, contractor laptops, or personal machines. Device is enrolled but currently non-compliant: missing disk encryption, outdated OS build, missing antivirus signatures, or pending compliance evaluation. Sign-in from an unmanaged browser session or unsupported OS (e.g. Linux, older macOS) where compliance can't be reported. On-prem domain-joined device that has not yet synced to Entra ID via Azure AD Connect, so it isn't seen as Hybrid Joined

How do I fix AADSTS53000?

Identify which Conditional Access policy fired: open Entra ID (Azure AD) > Sign-in logs, locate the failed sign-in for this user/app, and check the 'Conditional Access' tab for the policy name and the failing grant control.. On the affected device, enroll it in Intune via Settings > Accounts > Access work or school > Connect (Windows) or the Company Portal app (macOS/iOS/Android). For server/service scenarios, switch the data source to a service principal so device compliance no longer applies.. In Intune (Microsoft Endpoint Manager) > Devices, open the device and review Compliance: remediate the failing settings (BitLocker/FileVault, Defender, OS version, password policy) and trigger 'Sync' so the compliant state propagates back to Entra ID.. For Power BI Gateway / ADF self-hosted IR / Databricks scheduled jobs: replace user-account auth with a service principal or managed identity, and exclude that workload from the device-compliance CA policy — automated runs have no device to be compliant on.. If the user must keep working from this device, ask the CA admin to either add a 'Require compliant or Hybrid joined device' OR clause, exclude the user from the policy temporarily, or grant access via an approved client app instead.

Low severityauthentication

Power BI Error:
AADSTS53000, Conditional Access blocks non-compliant device

What does this error mean?

Conditional Access policy requires a compliant or hybrid Azure AD-joined device, and the signing-in device doesn't meet that bar.

Common causes

1Conditional Access policy with a 'Require device to be marked as compliant' or 'Require Hybrid Azure AD joined device' grant control
2Device is not enrolled in Intune (or another approved MDM) — typical for BYOD, contractor laptops, or personal machines
3Device is enrolled but currently non-compliant: missing disk encryption, outdated OS build, missing antivirus signatures, or pending compliance evaluation
4Sign-in from an unmanaged browser session or unsupported OS (e.g. Linux, older macOS) where compliance can't be reported
5On-prem domain-joined device that has not yet synced to Entra ID via Azure AD Connect, so it isn't seen as Hybrid Joined

How to fix it

1Identify which Conditional Access policy fired: open Entra ID (Azure AD) > Sign-in logs, locate the failed sign-in for this user/app, and check the 'Conditional Access' tab for the policy name and the failing grant control.
2On the affected device, enroll it in Intune via Settings > Accounts > Access work or school > Connect (Windows) or the Company Portal app (macOS/iOS/Android). For server/service scenarios, switch the data source to a service principal so device compliance no longer applies.
3In Intune (Microsoft Endpoint Manager) > Devices, open the device and review Compliance: remediate the failing settings (BitLocker/FileVault, Defender, OS version, password policy) and trigger 'Sync' so the compliant state propagates back to Entra ID.
4For Power BI Gateway / ADF self-hosted IR / Databricks scheduled jobs: replace user-account auth with a service principal or managed identity, and exclude that workload from the device-compliance CA policy — automated runs have no device to be compliant on.
5If the user must keep working from this device, ask the CA admin to either add a 'Require compliant or Hybrid joined device' OR clause, exclude the user from the policy temporarily, or grant access via an approved client app instead.

Frequently asked questions

What does AADSTS53000 mean?

Conditional Access policy requires a compliant device, and the device isn't compliant. The user must enroll their device with an approved MDM provider like Intune. For additional information, please v

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes