Skip to content

azd auth token --scope https://graph.microsoft.com/.default fails with AADSTS530084 for some internal users #7704

Description

@JeffreyCA
ERROR: AADSTS530084: Access has been blocked by conditional access token protection policy configured by this organization. To learn more, see https://aka.ms/TBCADocs. Trace ID: <redacted> Correlation ID: <redacted> Timestamp: 2026-04-13 19:04:12Z

Suggestion: reauthentication required, run `azd auth login --tenant-id <redacted> --scope https://graph.microsoft.com/.default` to acquire a new token.

This error happens for some internal Microsoft users that are part of a MSIT content access policy that prevents them from getting a MS Graph token.

Only users in this policy can reproduce the issue with azd auth token -o json --scope https://graph.microsoft.com/.default --tenant-id <tenant-id>

Image

The ideal solution would be to enable Web Account Manager (WAM) based login on Windows devices like Azure CLI. We did add support for it in #3216 but it's not enabled yet in our public releases due to some pending work:

The only known workaround is to contact the internal help desk and request for a token protection exception on this policy.

Related Azure CLI issue: Azure/azure-cli#31030

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/authAuthentication, credentials, identitybugSomething isn't working

    Type

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions