What causes AADSTS53011?

Identity Protection flagged the user as high-risk (leaked credentials, atypical travel, anonymous IP, malware-linked IP, or unfamiliar sign-in properties). A Conditional Access policy on the home tenant is configured to block sign-ins when user risk is medium or high. The user's password appeared in a known credential leak and Microsoft hasn't yet received a self-service password reset. B2B/guest scenario: the user's home tenant (not the resource tenant they're accessing, e.g. a Power BI workspace or Fabric capacity) is enforcing the risk block. Stale risk state — the threat was remediated but the risk flag was never dismissed in Entra ID Protection

How do I fix AADSTS53011?

Have a Global Administrator or Security Administrator of the user's home tenant open Microsoft Entra admin center → Protection → Identity Protection → Risky users, locate the account, and review the risk detections to understand why it was flagged. Remediate the user: trigger a self-service password reset (SSPR) with MFA, or have the admin click 'Confirm user compromised' followed by a forced password reset, then 'Dismiss user risk' once resolved. Review Conditional Access policies in the home tenant (Protection → Conditional Access) for any 'Sign-in risk' or 'User risk' grant/block controls and confirm the policy is intentional — adjust the risk threshold if it's overly aggressive. For B2B guest access to Power BI, Fabric or ADF: confirm with the guest's home-tenant admin that the block is on their side; the resource tenant cannot override it. After remediation, have the user sign out completely and re-authenticate; the token cache must be cleared before AADSTS53011 stops appearing

Critical severityauthentication

Power BI Error:
AADSTS53011

What does this error mean?

Identity Protection on the user's home tenant has blocked the sign-in because the account is flagged as risky.

Common causes

1Identity Protection flagged the user as high-risk (leaked credentials, atypical travel, anonymous IP, malware-linked IP, or unfamiliar sign-in properties)
2A Conditional Access policy on the home tenant is configured to block sign-ins when user risk is medium or high
3The user's password appeared in a known credential leak and Microsoft hasn't yet received a self-service password reset
4B2B/guest scenario: the user's home tenant (not the resource tenant they're accessing, e.g. a Power BI workspace or Fabric capacity) is enforcing the risk block
5Stale risk state — the threat was remediated but the risk flag was never dismissed in Entra ID Protection

How to fix it

1Have a Global Administrator or Security Administrator of the user's home tenant open Microsoft Entra admin center → Protection → Identity Protection → Risky users, locate the account, and review the risk detections to understand why it was flagged
2Remediate the user: trigger a self-service password reset (SSPR) with MFA, or have the admin click 'Confirm user compromised' followed by a forced password reset, then 'Dismiss user risk' once resolved
3Review Conditional Access policies in the home tenant (Protection → Conditional Access) for any 'Sign-in risk' or 'User risk' grant/block controls and confirm the policy is intentional — adjust the risk threshold if it's overly aggressive
4For B2B guest access to Power BI, Fabric or ADF: confirm with the guest's home-tenant admin that the block is on their side; the resource tenant cannot override it
5After remediation, have the user sign out completely and re-authenticate; the token cache must be cleared before AADSTS53011 stops appearing

Frequently asked questions

What does AADSTS53011 mean?

User blocked due to risk on home tenant.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes