how to integrate microsoft AD with Platform configurations between Mobile and desktop applications and Web

Question

how to integrate microsoft AD with Platform configurations between Mobile and desktop applications and Web

apisit nowarat 0

i try to integrate login system with azure AD using Node.js both frontend and backend

frontend : Nextjs
backend : Nodejs

flow imprement

Frontend : request to backend for getAuthCodeUrl
Backend : use package @azure/msal-node call function getAuthCodeUrl and response login url to Frontend

Frontend : open the login url and show dialog

AD : redirect to Frontend with authorize code

Frontend : send authorize code to backend

Backend : use authorize code to exchange or issue access token use package @azure/msal-node function acquireTokenByCode

but got response error from acquireTokenByCode function like this

InteractionRequiredAuthError: invalid_grant: AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

how to solve this error?

change from Mobile and desktop applications to Web can solve this error? cause backend cannot use authorize code to exchange access token?

apisit nowarat 0

example code

import msal from '@azure/msal-node'

// backend response this login url to frontend
const getAuthCodeUrl = async () => {
  const msalConfig = {
    auth: {
      clientId: CONFIG.CLIENT_ID,
      authority: 'https://login.microsoftonline.com/' + CONFIG.TENANT_ID,
    }
  }
  const msalInstance = new msal.PublicClientApplication(msalConfig)
  const authCodeUrlParams: AuthorizationUrlRequest = {
    scopes: ['User.Read', 'Group.Read.All'],
    redirectUri: CONFIG.REDIRECT_URI,
    prompt: CONFIG.PROMPT_LOGIN
  }
  const authUrl = await msalInstance.getAuthCodeUrl(authCodeUrlParams)
  return authUrl
}


// after frontend got redirect from azure send authirize code to backend this function
const acquireTokenByCode = async ({ code, sessionState }: { code: string, sessionState: string }) => {
  const tokenRequest: msal.AuthorizationCodeRequest = {
    scopes: ['User.Read', 'Group.Read.All'],
    redirectUri: CONFIG.REDIRECT_URI,
    code,
    state: sessionState
  }
  const authenticateResult: msal.AuthenticationResult = await msalInstance.acquireTokenByCode(tokenRequest)
  return { authenticateError: null, authenticateResult }
}

1 answer

Your answer

apisit nowarat 0 Reputation points

2025-10-24T10:12:42.7266667+00:00

example code

import msal from '@azure/msal-node' // backend response this login url to frontend const getAuthCodeUrl = async () => { const msalConfig = { auth: { clientId: CONFIG.CLIENT_ID, authority: 'https://login.microsoftonline.com/' + CONFIG.TENANT_ID, } } const msalInstance = new msal.PublicClientApplication(msalConfig) const authCodeUrlParams: AuthorizationUrlRequest = { scopes: ['User.Read', 'Group.Read.All'], redirectUri: CONFIG.REDIRECT_URI, prompt: CONFIG.PROMPT_LOGIN } const authUrl = await msalInstance.getAuthCodeUrl(authCodeUrlParams) return authUrl } // after frontend got redirect from azure send authirize code to backend this function const acquireTokenByCode = async ({ code, sessionState }: { code: string, sessionState: string }) => { const tokenRequest: msal.AuthorizationCodeRequest = { scopes: ['User.Read', 'Group.Read.All'], redirectUri: CONFIG.REDIRECT_URI, code, state: sessionState } const authenticateResult: msal.AuthenticationResult = await msalInstance.acquireTokenByCode(tokenRequest) return { authenticateError: null, authenticateResult } }

Answer 1

Hello Apisit,

Thank you for posting question on Microsoft Windows Forum.

Based on the provided error message "AADSTS53003: Access has been blocked by Conditional Access policies." which is probably due to a restriction enforced by Conditional Access (CA) policies in your Azure AD tenant. This occurs when the user or app does not meet the Conditional Access requirements set by your Azure AD/Entra ID administrator.

The following are a few of suggestions worth to be considered.

1.Check the Sign-In Logs.

In the tenant go to Microsoft Entra / Azure AD → Monitoring & health → Sign-in logs.
Find the failed sign-in for the user/app and open its Conditional Access tab
It shows the exact policy name and which condition/grant failed (e.g. device compliance, client app type, location, custom control). This might show you why token issuance was blocked.

2.Contact your Azure AD administrator.

Providing them with the timestamp and correlation ID of the failed sign-in attempt (these are usually available in the full error response or in the Azure AD Sign-in Logs) in order to review the Conditional Access policies that are being triggered

3.Ensure Application is Registered Correctly.

Verify your Redirect URI in the Azure AD Application Registration matches the URI where your Next.js frontend is receiving the authorization code, and that it's correctly configured as a Web platform type in the portal. Even if your initial flow uses an app platform, the token exchange usually relies on the registered Web redirect URI.

You can refer to following useful articles for more information regarding the issue.

Hope the above information is helpful!

Share via

how to integrate microsoft AD with Platform configurations between Mobile and desktop applications and Web

1 answer

Your answer