ERROR: AADSTS530084: Access has been blocked by conditional access token protection policy configured by this organization. To learn more, see https://aka.ms/TBCADocs. Trace ID: <redacted> Correlation ID: <redacted> Timestamp: 2026-04-13 19:04:12Z
Suggestion: reauthentication required, run `azd auth login --tenant-id <redacted> --scope https://graph.microsoft.com/.default` to acquire a new token.
This error happens for some internal Microsoft users that are part of a MSIT content access policy that prevents them from getting a MS Graph token.
Only users in this policy can reproduce the issue with azd auth token -o json --scope https://graph.microsoft.com/.default --tenant-id <tenant-id>
The ideal solution would be to enable Web Account Manager (WAM) based login on Windows devices like Azure CLI. We did add support for it in #3216 but it's not enabled yet in our public releases due to some pending work:
The only known workaround is to contact the internal help desk and request for a token protection exception on this policy.
Related Azure CLI issue: Azure/azure-cli#31030
This error happens for some internal Microsoft users that are part of a MSIT content access policy that prevents them from getting a MS Graph token.
Only users in this policy can reproduce the issue with
azd auth token -o json --scope https://graph.microsoft.com/.default --tenant-id <tenant-id>The ideal solution would be to enable Web Account Manager (WAM) based login on Windows devices like Azure CLI. We did add support for it in #3216 but it's not enabled yet in our public releases due to some pending work:
The only known workaround is to contact the internal help desk and request for a token protection exception on this policy.
Related Azure CLI issue: Azure/azure-cli#31030