[Microsoft internal] Microsoft tenant forbids device code flow

[jiasli]

Symptom

Recently, Microsoft tenant (72f988bf-86f1-41af-91ab-2d7cd011db47) started to forbid device code flow.

To reproduce, run

az login --tenant 72f988bf-86f1-41af-91ab-2d7cd011db47 --use-device-code

Then open https://microsoft.com/devicelogin with a web browser, enter the device code and select the @microsoft.com account in the browser.

The login page shows error:

You don't have access to this
Your sign-in was successful but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app, location, or an authentication flow that is restricted by your admin.

Troubleshooting details:

Error Code: 53003
Request Id: ...
Correlation Id: ...
Timestamp: 2025-11-13T08:20:29.147Z
App name: Microsoft Azure CLI
App id: 04b07795-8ddb-461a-bbee-02f9e1bf7b46
IP address: ...
Device identifier: ...
Device platform: Windows 10
Device state: Compliant

Solution

Use a user account with WAM flow:

az login --tenant 72f988bf-86f1-41af-91ab-2d7cd011db47

Additional information

IcM: 707266280, 710799821

[yonzhan]

Microsoft tenant forbids device code flow and we need to use a user account with WAM flow.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• [Microsoft internal] Microsoft tenant forbids accessing Microsoft Graph with browser flow #31030

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

This is a Conditional Access policy enforced by MSIT, not Azure CLI. This is not under Azure CLI's control.

Currently, if you want to access Microsoft Graph with Azure CLI and a user credential, you have to use Windows and WAM (az config set core.enable_broker_on_windows=true, which is the default).

Another workaround is to use service principal to access Microsoft Graph.

Reference:

• [Microsoft internal] Microsoft tenant forbids accessing Microsoft Graph with browser flow #31030 (comment)

Solution 2:

While azcli might be able to implement another auth method, I needed a workaround now to keep working.

I found this Sharepoint site describing the policy and exception process: https://microsoft.sharepoint.com/sites/Identity_Authentication/SitePages/CoreIdentity/TokenProtection-FAQ.aspx#troubleshooting

• go to tech web helpdesk
• start a virtual agent chat
• type "I need a real person"
• Mention "Token Protection" in your ticket description
• They will ask for an error message showing "AADSTS530084"
• They will whitelist your account in the backend. It should only take a minute or two to take effect.

Reference:

• [Microsoft internal] Microsoft tenant forbids accessing Microsoft Graph with browser flow #31030 (comment)

Powered by issue-sentinel