0xCAA20004 Severity: High Conditional Access blocked sign-in
A Conditional Access policy in your tenant denies sign-in. Common for devices that do not meet compliance requirements.
Last verified:
Affected systems
windows macos ios android
Symptoms
- 0xCAA20004 or 'Conditional Access' in the error text
- Sign-in fails only in Teams, other apps work
- Sign-in succeeds on a different device
Possible causes
- Device not registered in Entra/Azure AD
- Compliance status shows 'non-compliant' (e.g. encryption missing)
- New Conditional Access rule was activated
- Location or IP does not match the policy
Solutions
1.Check device registration
-
Open PowerShell and check status.
dsregcmd /status -
Look for 'AzureAdJoined: YES' and 'DomainJoined'.
-
If the device is not registered, ask IT to enroll it.
2.Check compliance status
-
Open Settings, Accounts, 'Access work or school'.
-
Pick your account and click 'Info'.
-
Compliance issues will show an explanation with remediation steps.
3.Sign in via browser for diagnostics
-
Open https://myapps.microsoft.com in a private browser window.
-
The error there typically includes a correlation ID and detail.
-
Forward that ID to IT so they can check the policy.
Conditional Access can only be resolved by IT. As an end user, you mostly help by checking compliance and forwarding the correlation ID.