What causes AADSTS53002?

A Conditional Access policy in Microsoft Entra ID (Azure AD) requires an approved client app, and the user signed in with a non-approved third-party or browser-based app. User authenticates with a built-in mail/calendar client (iOS Mail, Android default mail) instead of Outlook Mobile, which isn't on Microsoft's approved app list. Power BI Service or Fabric is accessed via an unsupported browser session or embedded WebView that doesn't satisfy the approved client app requirement. The Conditional Access policy targets the user/group but the legacy authentication protocol used (e.g. basic auth, ActiveSync) doesn't support modern approved-app enforcement. App Protection Policy (require app protection policy) is configured but the client app doesn't support Intune MAM

How do I fix AADSTS53002?

Switch to a Microsoft-approved client app for the affected service: Outlook Mobile for Exchange, Microsoft Teams, Power BI Mobile, or Edge/Chrome for browser access — see Microsoft's approved app list at aka.ms/approvedapps. In the Microsoft Entra admin center → Protection → Conditional Access, locate the policy enforcing 'Require approved client app' and review which users, apps and platforms it targets. If the block is unintended, exclude the specific cloud app (e.g. Power BI Service, Azure Data Factory) or add the user to the policy's exclusion group, then re-test sign-in. For service principals or unattended Power BI / ADF refresh scenarios: ensure the workload uses a service principal or managed identity — Conditional Access approved-app policies apply to interactive user sign-ins, so non-interactive refreshes should run under a non-user identity. Check the sign-in logs in Microsoft Entra ID → Sign-in logs, filter on the user and error 53002, and inspect the 'Conditional Access' tab to confirm exactly which policy fired and why

Low severityauthentication

Power BI Error:
AADSTS53002

What does this error mean?

Conditional Access policy requires an approved client app, but the app attempting sign-in isn't on the approved list.

Common causes

1A Conditional Access policy in Microsoft Entra ID (Azure AD) requires an approved client app, and the user signed in with a non-approved third-party or browser-based app
2User authenticates with a built-in mail/calendar client (iOS Mail, Android default mail) instead of Outlook Mobile, which isn't on Microsoft's approved app list
3Power BI Service or Fabric is accessed via an unsupported browser session or embedded WebView that doesn't satisfy the approved client app requirement
4The Conditional Access policy targets the user/group but the legacy authentication protocol used (e.g. basic auth, ActiveSync) doesn't support modern approved-app enforcement
5App Protection Policy (require app protection policy) is configured but the client app doesn't support Intune MAM

How to fix it

1Switch to a Microsoft-approved client app for the affected service: Outlook Mobile for Exchange, Microsoft Teams, Power BI Mobile, or Edge/Chrome for browser access — see Microsoft's approved app list at aka.ms/approvedapps
2In the Microsoft Entra admin center → Protection → Conditional Access, locate the policy enforcing 'Require approved client app' and review which users, apps and platforms it targets
3If the block is unintended, exclude the specific cloud app (e.g. Power BI Service, Azure Data Factory) or add the user to the policy's exclusion group, then re-test sign-in
4For service principals or unattended Power BI / ADF refresh scenarios: ensure the workload uses a service principal or managed identity — Conditional Access approved-app policies apply to interactive user sign-ins, so non-interactive refreshes should run under a non-user identity
5Check the sign-in logs in Microsoft Entra ID → Sign-in logs, filter on the user and error 53002, and inspect the 'Conditional Access' tab to confirm exactly which policy fired and why

Frequently asked questions

What does AADSTS53002 mean?

ApplicationUsedIsNotAnAppr

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes