Locked out by Conditional Access

Indicators

• 'You can't get there from here' / AADSTS53003 across multiple users
• Admins unable to access Entra portal to fix it
• Recent CA policy change preceded the incident
• Failure correlates to a specific platform, location, or app

Likely causes

• New CA policy created without exclusions for emergency access
• Policy targets 'All users' including admins, blocks 'All cloud apps'
• Required control (compliant device, MFA method) impossible for the user pool
• Conflict with another CA policy producing unexpected combined effect

Diagnostic steps

1. Use the break-glass / emergency access account — must be excluded from all CA policies, MFA-only with FIDO2 or strong passphrase, monitored separately
2. Sign in to Entra portal as break-glass admin
3. Open the offending policy → switch to Report-only mode (do not delete — preserves audit trail)
4. Verify users can sign in, then investigate via Sign-in logs → Conditional Access tab to confirm which policy blocked
5. Use 'What If' tool in Entra to model the corrected policy before re-enabling
6. Document the fix and the policy change in change log

Resolution path

• Authenticate via break-glass account
• Disable / report-only the offending policy
• Verify normal users can sign in
• Model corrected policy with What If
• Re-enable carefully with proper exclusions

Prevention

• Two break-glass accounts always — phishing-resistant MFA, separate alerts
• All CA policies tested in Report-only mode for 7 days minimum
• Mandatory exclusion group for emergency access on every CA policy
• Change-log discipline for CA policy modifications

Tools

• Entra admin centre — Conditional Access blade
• Sign-in logs (Entra ID monitoring)
• What If tool (Conditional Access)
• Microsoft Graph PowerShell — for scripted policy changes

References

• Microsoft Learn — Conditional Access break-glass / emergency access accounts
• Microsoft Learn — CA policy What If tool
• Engineer Direct guide — Microsoft 365 conditional access lockout