How to Fix Sign-in Error Code AADSTS530032
Guest User Blocked Due to Risk in their Home Tenant
Error Message
Your account is blocked. We’ve detected suspicious activity on your account. Sorry, the organization you are trying to access restricts at risk-users.
Root Cause Analysis
This error occurs when a risky B2B guest user tries to sign in to a Microsoft 365 tenant that enforces risk-based Conditional Access policies. During the sign-in process, the user’s risk status from their home tenant is evaluated, and since they are already flagged as risky, the external tenant blocked the login.
Error Examination
When Conditional Access identifies a user as risky and blocks their sign-in, admins can analyze the failure through the Microsoft Entra sign-in logs.
The unsuccessful attempt is recorded in both the user’s home tenant and the external tenant the user tried to access. This allows admins in both tenants to review and investigate the authentication failure.
License Requirement
Microsoft Entra ID P1 license
Role Requirement
Report Reader
How to Find Error Code 530032 Details in Microsoft 365 Sign-in Logs?
-
Open the Sign-in events page in the Microsoft Entra admin center.
-
Apply the following filters to locate sign-ins related to risky guest users in Microsoft 365:
-
Sign-in error code: 530032
-
Username: Enter the guest user’s UPN.
-
Date: By default, this filter is set to show sign-in activity for the past 24 hours. You can also customize it to the past 7 days or 1 month as needed.
-
Conditional Access: Failure
-
Review failed sign-in details for the risky guest user. You can also customize fields and apply additional filters to refine the report and display only relevant sign-in events.
How to Fix Error Code 530032 in Microsoft 365
Solution 1 - Via Microsoft 365 Admin Center
2 min
User Administrator
Reset the User Password in the Microsoft 365 Admin Center
Admins can resolve this error by resetting the user’s password in their home tenant. This action moves the user from a risky state to a secure state.
-
Go to the Microsoft 365 admin center.
-
Then, navigate to the Users » Active Users.
-
Select the affected user and choose the Reset Password option.
-
Choose the Automatically create a password option to generate a temporary password.
-
You must also select the Require this user to change their password when they first sign-in option to ensure users change their passwords.
-
Provide the temporary credentials to the user by emailing them to their personal email account.
This process helps resolve the user’s risk and returns their credentials to a secure state. Additionally, when SSPR isn’t available or the user isn’t registered for it, this method helps restore secure access.
Tip:
If the risky user account is compromised, promptly secure the Microsoft 365 account to mitigate potential risks or unauthorized activities.
Solution 2 - Via Microsoft Entra Admin Center
2 min
Security Operator
Dismiss the User's Risk State in the Entra Admin Center
First investigate the risk, and if the user is confirmed to be legitimate, you can dismiss the risk state to resolve the issue and restore the account’s normal status. To dismiss the risk state:
-
Go to the Microsoft Entra Admin Center.
-
Navigate to the ID Protection » Risky Users.
-
Select the affected user, click Dismiss user risk, and then choose Yes in the confirmation prompt to confirm.
Important:
This method doesn’t reset the existing password, so the user’s identity isn’t fully restored to a secure state. It’s recommended to contact the user, notify them of the detected risk, and advise them to change their password to strengthen account security.
Tip:
If you're the resource tenant admin and suspect a misconfiguration in your Conditional Access (CA) policies, you can investigate using the Conditional Access What If tool. This tool helps identify which CA policies affected a specific sign-in in real-time.
-
Go to the Microsoft Entra Admin Center.
-
Navigate to Entra ID » Conditional Access » Policies » What If.
-
On the What If page, select the user or service principal you want to test. You can only test one user or service principal at a time.
Points to Consider:
-
Guest users are blocked if they trigger user risk-based CA policies that require a password reset, since they can’t reset passwords in the resource tenant.
-
Guest users don’t appear in the resource tenant’s risky user reports because risk evaluation occurs in their home tenant.
-
Resource tenant admins can’t dismiss or remediate risky B2B users as they don’t have access to the guest’s home tenant.
User Troubleshooting
Steps to Troubleshoot Error 530032 for Users
If your organization has Self-Service Password Reset (SSPR) enabled, you can reset your password by following these steps:
-
Go to the Microsoft 365 Password Reset Portal.
-
Enter your User Principal Name (UPN) and complete the captcha.
-
Follow the on-screen instructions to verify your identity and set a new password.
-
Once your password has been reset, try signing in again.
Resetting the password helps resolve any risks associated with your account and allows you to regain access to the external tenant. If the issue continues after these steps, contact your administrator for further assistance.
Still Need Help?
We’re here to help! If these solutions don’t resolve your issue, share your concerns in the discussion forum, and we’ll assist to the best of our ability. However, if none of the solutions work, you may need to contact Microsoft Support for further assistance.