This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 38%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWO%3C/text%3E%3C/svg%3E)
Greetings!
I'm trying to reatrive some e-mails from my mail box using a python code with msallib. As I'm using a personal e-mail I set the auth url as "https://login.microsoftonline.com/common". It was working when my auth url was /{tenant_id}, but since I made this change I keep getting the error bellow whenever I run the app.
'error': 'invalid_grant', 'error_description': 'AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.'
When I look into the sign-in logs, there is nothing in the Conditional Access:
What should I do? I'm losing my hopes...
Look in the non interactive logs instead. If , for example, your access to Office 365 was blocked by a CA policy, then that would affect your Graph access.
Thank you for your answer Andy!
I looked in the non interactive logs but every access has the status Success.
How about under Service Principal Logins?
In Service Principal Login all the access that has status Failure have the same details as the image I presented in the main post.
not sure using the /common endpoint is the way here. You said it works with the tenantID?
Yes, it was, but since I'm using a personal account I needed to change it to /common.
I used this two questions as base to this change:
https://learn.microsoft.com/en-us/answers/questions/1190977/organizationfromtenantguidnotfound
Where does the personal account live?
The block doesnt look to be coming from your tenant if you cant find the policy
But I'm able to find the logins attempts I made in the Sign-in Logs. Is it possible to be blocked from another source yet?
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Does the failed sign ins in the sign in logs that show failure list your tenant ID?
No... All the fields related to Tenant in the failure case are blank. The ones that were successful have a Tenant that matches mine.