web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Finance | Project Operations, Human Resources, ... / Sending emails
Finance | Project Operations, Human Resources, ...
Suggested Answer

Sending emails

(3) ShareShare
ReportReport
Posted on by SC-08041706-0 40
The customer is hosted by us and are on GP 18.5. We logged into Azure and got GP registered with MSGraph.  We went to log into GP and we got the Modern Authentication screen, logged in, got the MFA Notice and everything was going good then this error popped up
 
Clicked more details and got this - then said OK and got this error
  
 then we check this in the Azure Portal
 
The tenant does not allow unregistered devices to communicate with them. The second image has 2 pages. the first page has the IP trying to access their E-mail resources, the second page has the error stating that unregistered devices are not allowed to communicate due to Conditional Access Policies.  Their Azure team needs to get involved and either make those changes, or come up with another solution. We will not be allowing our devices to register with their tenant in Azure. Steve is going to have that conversation with them. If he needs me to get on a call I can do so. But this isn’t an issue we can solve for them.  
 
This was their response:
Guess there’s no way to bind it to using one service type email account? If so, I could put that in the exception group, but I will not put all of the users as an exception.
 
If not, I will need to see if we can get the IP as an exception, but I’ll need to discuss with our MSSP since I’m not sure how.
We did give them the IP Address and they sen me this
 Guess there’s no way to bind it to using one service type email account?
 
Does anyone have any suggestions on how to get their email to work - I did update the MSGraph table with the ID
 
Categories:
Microsoft Dynamics GP
I have the same question (0)
  • Suggested answer
    DAnny3211 Profile Picture
    DAnny3211 11,397 on at

    Hi,

     

    From the screenshots and sign‑in logs:

     

    • Error code 53000 and the banner “You can’t get there from here… only from devices or client apps that meet compliance policy” indicate a Conditional Access policy that requires a compliant or joined device. Your logs also show Device state: Unregistered and the status Failure, which is exactly how CA reports when a device doesn’t meet the “Require device to be marked as compliant” control. [1][2]


      •  
     

    In other words, GP is authenticating to Microsoft Graph successfully (you pass MFA), but access is blocked by the customer’s Conditional Access rules, not by GP or the Graph registration.

     
     

    What you can do (practical options)

     
     

    These are all changes the customer’s Entra ID / Intune security team must make on their tenant—the blocking policy lives there.

     

    Option 1 — Allow a dedicated account or app while keeping security controls

     

    • Create a dedicated service account (or group) for GP’s email integration and exclude it only from the “Require compliant device” control in the relevant CA policy. Keep MFA and add Named locations (restrict to your public IPs) to maintain a strong posture. Microsoft’s guidance explicitly calls out excluding service accounts from device‑compliance CA policies and using CA for workload identities where appropriate. [3]

    • Alternatively (or additionally), scope the CA policy so it excludes the GP app registration / service principal used for Graph, then compensate with IP/location and auth‑strength requirements. (Calls made by service principals aren’t affected by user‑scoped policies; use CA for workload identities if you need controls on the app itself.) [3]


      •  
     

    How (high level):

    Entra ID ▸ Security ▸ Conditional Access ▸ Policies ▸ [policy that requires compliant device] ▸ Assignments ▸ Users and groups ▸ Exclude (add the dedicated service account or group). Test in Report‑only first. [3]

     
     

    Option 2 — Adjust the policy logic instead of broad exclusions

     

    • If the business accepts it, change the grant controls to a transitional stance such as “Require MFA OR (compliant device / hybrid‑joined device)” for this scenario, or filter by device condition so only specific, registered devices must be compliant. Microsoft documents common patterns where organizations allow MFA as an alternative while they onboard devices to Intune/Hybrid Join. [3][4]


      •  
     
     

    Option 3 — Make the GP workstation/server compliant

     

    • Register/join the GP machine to Entra ID and enroll it in Intune so it reports compliant status, which will satisfy the policy as written. Microsoft’s description for 53000 is explicit: “Conditional Access policy requires a compliant device… The user must enroll their device with an approved MDM provider like Intune.” [1][5]

    • This is usually the cleanest approach if the customer’s policy is “no personal / non‑managed devices”.


      •  
     
     

    Why the “single service email account” idea came up

     

    Binding GP to a single account lets the customer exclude only that identity (or the GP app) instead of every user. That’s a common, least‑privilege compromise when a tenant doesn’t permit registering third‑party‑hosted devices. Microsoft’s CA guidance specifically recommends excluding service accounts from user‑scoped policies and managing apps with workload‑identity CA if needed. [3]

     
     

    What to share with the customer’s security team

     
     

    Observed: Sign‑in error 53000; device state Unregistered; CA requires “Require device to be marked as compliant.”

    Ask (choose one):
    1) Exclude [service account or security group] (or the GP app registration) from the “Require compliant device” control; keep MFA and restrict by Named locations (our static public IPs). [3]

    2) Change the grant control to allow MFA as an alternative to device compliance for this scenario, or apply a device filter that doesn’t block GP’s host. [3][4]

    3) Permit our GP host to be Entra‑joined and Intune‑enrolled so it becomes compliant. The error 53000 description confirms this resolves the block. [1]

     

    Testing tip: Put the modified policy in Report‑only first, validate in Sign‑in logs, then enable. [3]

     
     

    If this addresses the problem, please mark the reply so others can find it.

     

    Thanks and best regards,

    Daniele

    Note: This response was prepared with support from Copilot to ensure clarity and completeness.


    References

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Finance | Project Operations, Human Resources, AX, GP, SL

#1
Abhilash Warrier Profile Picture

Abhilash Warrier 669 Super User 2025 Season 2

#2
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 449 Super User 2025 Season 2

#3
Martin Dráb Profile Picture

Martin Dráb 384 Most Valuable Professional

Last 30 days Overall leaderboard

Featured topics

End-of-life Announcement for Microsoft Dynamics GP

Product updates

Dynamics 365 release plans