Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

Question

Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

Adriaan Kruger 0

Installed Apps4.Pro for Migration and the Microsoft-managed CA policy "Block device code flow" is blocking my connection to our tenant.

When I search for Microsoft Azure CLI i see a lot of attempts to use this.

What is the best practice to not have this blocked

Sridevi Machavarapu 27,315 Reputation points Microsoft External Staff Moderator

2026-04-08T17:15:10.7633333+00:00
Hello Adriaan Kruger,

The behavior you’re seeing is expected.

Apps4.Pro is signing in using device code flow, and your tenant has the Microsoft-managed policy “Block device code flow” enabled. That’s why token issuance is blocked. The Microsoft Azure CLI entries you see in sign-in logs are part of the same process.

Instead of turning off the policy, allow only what’s needed:

Create a separate account just for the migration

Exclude only this account from the Block device code flow policy

Give it only the required permissions

If you can identify the enterprise app used by Apps4.Pro, you can exclude that app instead of the user.

If the tool supports browser-based login or app-based authentication, use that instead, as it won’t be blocked.

After the migration, remove the exclusion.

This isn’t a failure, it’s the policy working as intended. The fix is to allow access in a controlled way, not disable the policy.
Sridevi Machavarapu 27,315 Reputation points Microsoft External Staff Moderator

2026-04-09T21:50:52.2233333+00:00

Hello Adriaan Kruger,

Any update on this? Please confirm if you still have further questions.

1 answer

Your answer

Sridevi Machavarapu 27,315 Reputation points Microsoft External Staff Moderator

2026-04-08T17:15:10.7633333+00:00

Hello Adriaan Kruger,

The behavior you’re seeing is expected.

Apps4.Pro is signing in using device code flow, and your tenant has the Microsoft-managed policy “Block device code flow” enabled. That’s why token issuance is blocked. The Microsoft Azure CLI entries you see in sign-in logs are part of the same process.

Instead of turning off the policy, allow only what’s needed:

Create a separate account just for the migration

Exclude only this account from the Block device code flow policy

Give it only the required permissions

If you can identify the enterprise app used by Apps4.Pro, you can exclude that app instead of the user.

If the tool supports browser-based login or app-based authentication, use that instead, as it won’t be blocked.

After the migration, remove the exclusion.

This isn’t a failure, it’s the policy working as intended. The fix is to allow access in a controlled way, not disable the policy.
Sridevi Machavarapu 27,315 Reputation points Microsoft External Staff Moderator

2026-04-09T21:50:52.2233333+00:00

Hello Adriaan Kruger,

Any update on this? Please confirm if you still have further questions.

Answer 1

Yutaka_K_JP 1,655

I think the block comes from the MS‑managed CA rule cuttin the device‑code flow at the token‑gate, so just add a tiny exclde for that mig usr/app in Entra → CA. If it still fails, peek the sign‑in logs once… it shows exactly where CA drops it.

0 comments

Share via

Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

1 answer

Your answer