What causes AADSTS530034?

The delegated admin's user account is flagged as 'at risk' by Entra ID Identity Protection in the partner's home tenant (leaked credentials, anomalous sign-in, malware-linked IP). Risk-based Conditional Access policy in the home tenant blocks the user until risk is remediated. MFA / secure-password reset has not been completed after a risky sign-in event. GDAP/DAP relationship is active but the partner admin's identity in the partner tenant is non-compliant (no MFA, stale credentials). Token-protection or sign-in risk policies set to 'Block access' instead of 'Require password change'

How do I fix AADSTS530034?

Have the delegated admin sign in to their own (partner) tenant and complete a secure password reset + MFA challenge to clear the user-risk flag in Entra ID Identity Protection. In the partner tenant, open Entra ID > Security > Identity Protection > Risky users, locate the admin and choose 'Confirm user compromised' → reset password, or 'Dismiss user risk' after investigation. Review Conditional Access policies in the partner (home) tenant for rules targeting 'User risk' or 'Sign-in risk' = High that block delegated/CSP admins, and adjust to 'Require password change' instead of 'Block'. Verify the GDAP relationship and role assignments in Microsoft Partner Center are still valid for the customer tenant. Retry access to the customer tenant from a compliant device after risk remediation has propagated (can take a few minutes)

Critical severityauthentication

Power BI Error:
AADSTS530034

What does this error mean?

A delegated (CSP/GDAP) admin is blocked from the customer tenant because their home-tenant account is flagged as risky.

Common causes

1The delegated admin's user account is flagged as 'at risk' by Entra ID Identity Protection in the partner's home tenant (leaked credentials, anomalous sign-in, malware-linked IP)
2Risk-based Conditional Access policy in the home tenant blocks the user until risk is remediated
3MFA / secure-password reset has not been completed after a risky sign-in event
4GDAP/DAP relationship is active but the partner admin's identity in the partner tenant is non-compliant (no MFA, stale credentials)
5Token-protection or sign-in risk policies set to 'Block access' instead of 'Require password change'

How to fix it

1Have the delegated admin sign in to their own (partner) tenant and complete a secure password reset + MFA challenge to clear the user-risk flag in Entra ID Identity Protection
2In the partner tenant, open Entra ID > Security > Identity Protection > Risky users, locate the admin and choose 'Confirm user compromised' → reset password, or 'Dismiss user risk' after investigation
3Review Conditional Access policies in the partner (home) tenant for rules targeting 'User risk' or 'Sign-in risk' = High that block delegated/CSP admins, and adjust to 'Require password change' instead of 'Block'
4Verify the GDAP relationship and role assignments in Microsoft Partner Center are still valid for the customer tenant
5Retry access to the customer tenant from a compliant device after risk remediation has propagated (can take a few minutes)

Frequently asked questions

What does AADSTS530034 mean?

A delegated administrator was blocked from accessing the tenant due to account risk in their hom

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes