What causes AADSTS53001?

Conditional Access grant control 'Require Hybrid Azure AD joined device' is enforced on the targeted app (Power BI Service, Fabric, Azure Management). Device is Entra ID joined or Entra registered only — not Hybrid Azure AD joined — so it fails the domain-joined check. Sign-in attempt from a personal/BYOD or non-corporate machine against a tenant that mandates managed devices. On-prem AD to Entra Connect sync issue: device object exists locally but service connection point (SCP) or userCertificate attribute didn't sync, so the device shows as not hybrid-joined. Unattended service principal or gateway running on a server that was never hybrid-joined, hitting a CA policy scoped to 'All users'

How do I fix AADSTS53001?

Run `dsregcmd /status` on the affected Windows device — confirm `AzureAdJoined: YES` AND `DomainJoined: YES` (both must be YES for hybrid join). If DomainJoined is NO, the device must be domain-joined first; if AzureAdJoined is NO, trigger the scheduled task `Automatic-Device-Join` or re-run Entra Connect device sync. In the Entra admin center → Protection → Conditional Access, locate the policy hitting this user/app (filter sign-in logs on AADSTS53001 to identify the policy ID), and review the 'Grant' block — confirm whether 'Require Hybrid Azure AD joined device' is the blocking control. If the user legitimately needs access from this device, either: (a) add the device as Compliant via Intune and switch the grant to 'Require device to be marked as compliant', or (b) exclude the user/app from the policy via a named location or security group. For Power BI Gateway / ADF Self-Hosted IR / Fabric capacity service accounts: ensure the host server is Hybrid Azure AD joined, or exclude the service account from the device-state CA policy (service principals don't carry device claims). Verify Entra Connect is syncing device objects: in Synchronization Service Manager check the `In from AD - Device Join` rule is active, and force a delta sync with `Start-ADSyncSyncCycle -PolicyType Delta`

Low severityauthentication

Power BI Error:
AADSTS53001, Conditional Access Block

What does this error mean?

Sign-in blocked because Conditional Access requires a domain-joined (or hybrid-joined) device and the current device isn't.

Common causes

1Conditional Access grant control 'Require Hybrid Azure AD joined device' is enforced on the targeted app (Power BI Service, Fabric, Azure Management)
2Device is Entra ID joined or Entra registered only — not Hybrid Azure AD joined — so it fails the domain-joined check
3Sign-in attempt from a personal/BYOD or non-corporate machine against a tenant that mandates managed devices
4On-prem AD to Entra Connect sync issue: device object exists locally but service connection point (SCP) or userCertificate attribute didn't sync, so the device shows as not hybrid-joined
5Unattended service principal or gateway running on a server that was never hybrid-joined, hitting a CA policy scoped to 'All users'

How to fix it

1Run `dsregcmd /status` on the affected Windows device — confirm `AzureAdJoined: YES` AND `DomainJoined: YES` (both must be YES for hybrid join). If DomainJoined is NO, the device must be domain-joined first; if AzureAdJoined is NO, trigger the scheduled task `Automatic-Device-Join` or re-run Entra Connect device sync
2In the Entra admin center → Protection → Conditional Access, locate the policy hitting this user/app (filter sign-in logs on AADSTS53001 to identify the policy ID), and review the 'Grant' block — confirm whether 'Require Hybrid Azure AD joined device' is the blocking control
3If the user legitimately needs access from this device, either: (a) add the device as Compliant via Intune and switch the grant to 'Require device to be marked as compliant', or (b) exclude the user/app from the policy via a named location or security group
4For Power BI Gateway / ADF Self-Hosted IR / Fabric capacity service accounts: ensure the host server is Hybrid Azure AD joined, or exclude the service account from the device-state CA policy (service principals don't carry device claims)
5Verify Entra Connect is syncing device objects: in Synchronization Service Manager check the `In from AD - Device Join` rule is active, and force a delta sync with `Start-ADSyncSyncCycle -PolicyType Delta`

Frequently asked questions

What does AADSTS53001 mean?

Conditional Access policy requires a domain joined device, and the device isn't domain joined. Have the user use a domain joined device.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes