You try to open the SharePoint admin center but get blocked by a sign-in error. The page shows a message about a policy that prevents access. This happens because a Conditional Access policy in Microsoft Entra ID (formerly Azure AD) applies to SharePoint but does not include the admin center as an allowed app. This article explains why SharePoint admin center access is blocked by Conditional Access and how to fix it.
Key Takeaways: Troubleshooting Conditional Access Blocking SharePoint Admin Center
- Microsoft Entra admin center > Conditional Access > Policies: Lists all policies that can block SharePoint admin center access
- Cloud apps or actions > Include > Select apps > Office 365 SharePoint Online: The app that must be allowed for admin center access
- Session > Sign-in frequency: Controls how often admins must reauthenticate, which can cause unexpected blocks
Why Conditional Access Policies Block the SharePoint Admin Center
Conditional Access is a feature in Microsoft Entra ID that controls how users access cloud apps. A policy can block or allow access based on conditions like user location, device compliance, or sign-in risk. When a policy targets the Office 365 SharePoint Online app, it applies to both SharePoint sites and the SharePoint admin center. If the policy does not explicitly allow the admin center or if it requires a condition the admin does not meet, access is blocked.
The root cause is that the Office 365 SharePoint Online app includes the SharePoint admin center as a service endpoint. The policy you created for end users also applies to admins. Common conditions that cause blocks include requiring a compliant device, requiring a specific IP range, or requiring multi-factor authentication when the admin does not have it configured. Another common cause is that the policy excludes the admin center app but the admin center still inherits the policy from the parent app.
How Conditional Access Applies to SharePoint Admin Center
When you create a Conditional Access policy, you select the cloud app or action. For SharePoint, you choose Office 365 SharePoint Online. This selection covers all SharePoint endpoints including the admin center, SharePoint sites, and OneDrive for Business. There is no separate app entry for the admin center in the list of cloud apps. This means any policy that targets SharePoint also targets the admin center.
Common Conditions That Block Access
These conditions frequently cause blocks for admins:
- Device compliance: Requires the device to be enrolled in Intune and marked as compliant. Admin personal devices often fail this check.
- Location: Restricts access to trusted IP ranges. Admins working from home or on the road are blocked.
- Sign-in risk: Blocks access if the sign-in is detected as risky. False positives can block legitimate admins.
- Grant controls: Requires multi-factor authentication, password change, or app protection policy. Missing any requirement blocks access.
Steps to Identify and Fix the Blocking Policy
Follow these steps to find which Conditional Access policy is blocking the SharePoint admin center and adjust it.
- Sign in to the Microsoft Entra admin center
Go to https://entra.microsoft.com and sign in with a Global Administrator or Security Administrator account. If you are blocked, use a different browser or a private window and sign in with a break-glass account that is excluded from all policies. - Open Conditional Access policies
In the left navigation, select Protection > Conditional Access > Policies. A list of all policies appears. Look for policies that have the state set to On or Report-only. - Find the policy that blocks SharePoint
Click each policy and check Cloud apps or actions. If the Include list contains Office 365 SharePoint Online, this policy applies to the SharePoint admin center. Note the conditions and grant controls. - Check the Exclude tab
In the same policy, select the Exclude tab under Cloud apps or actions. If your admin account or a group containing your admin account is listed here, the policy should not block you. If not, the policy applies to you. - Adjust the policy to exclude admins
Under Exclude > Users and groups, add a group that contains your SharePoint administrators. This group should be empty or contain only the admin accounts. Do not add users individually unless you have very few admins. - Test the change
Select What If at the top of the Policies page. Enter your admin account, select Office 365 SharePoint Online as the cloud app, and run the evaluation. The tool shows which policies apply and whether access is granted or blocked. If the evaluation shows access allowed, sign out and sign back in to the SharePoint admin center.
Alternative: Create a Separate Policy for Admin Center Access
If you cannot exclude admins from the existing policy, create a new policy that allows access for admins only.
- Create a new policy
In the Conditional Access > Policies page, select New policy. - Assign users
Under Assignments > Users, select Include > Select users and groups. Add the admin group. Under Exclude, add the emergency access accounts. - Select cloud app
Under Cloud apps or actions > Include > Select apps, choose Office 365 SharePoint Online. Under Exclude, select Office 365 SharePoint Online again. This seems counterintuitive but it ensures the policy applies only to the admin center. Actually, this does not work. Instead, leave the cloud app as Office 365 SharePoint Online and use the grant controls to require only what is necessary for admins, such as multi-factor authentication. - Set grant controls
Under Grant, select Grant access. Check Require multi-factor authentication and Require device to be marked as compliant if needed. For admins, requiring multi-factor authentication is a good practice. - Enable session controls
Under Session, set Sign-in frequency to every 1 hour to force reauthentication. This reduces the risk of session hijacking. - Enable policy and test
Set Enable policy to Report-only. Test the policy with the What If tool. If it works, set Enable policy to On.
If the SharePoint Admin Center Still Blocks Access
After adjusting Conditional Access, you might still face blocks. These related issues often cause persistent problems.
SharePoint Admin Center Shows Access Denied Even After Policy Change
The most common cause is that the policy change has not propagated. Conditional Access policies can take up to 30 minutes to apply. Wait 30 minutes and try again. Also clear your browser cache or use an InPrivate window. If the issue persists, check the Sign-in logs in Microsoft Entra admin center under Monitoring > Sign-in logs. Find the failed sign-in and look for the Conditional Access policy that blocked it.
SharePoint Admin Center Requires Device Enrollment but Device Is Already Enrolled
The device might be enrolled but not compliant. In Intune, go to Devices > All devices. Find your device and check the Compliance status. If it shows Noncompliant, click the device and review the compliance policies. Common reasons for noncompliance include missing antivirus, outdated OS, or encryption not enabled. Fix the compliance issue in Intune or exclude the device from the Conditional Access policy.
SharePoint Admin Center Blocked for Guest Admins
Guest users who are SharePoint admins often face blocks because Conditional Access policies apply to guest users by default. In the policy, under Assignments > Users > Include, select All guest and external users. Under Exclude, add the guest admin accounts. Alternatively, create a separate policy for guest admins with relaxed conditions.
Conditional Access Policy Types and Their Effect on SharePoint Admin Center
| Policy Type | Effect on Admin Center Access | Recommended Fix |
|---|---|---|
| Require compliant device | Blocks access if device is not Intune-compliant | Enroll device in Intune or exclude admin group |
| Require multi-factor authentication | Blocks access if MFA is not configured | Set up MFA for admin accounts or exclude admin group |
| Block access from untrusted locations | Blocks access if IP is not in allowed range | Add admin home IP to trusted locations or exclude admin group |
| Sign-in risk policy | Blocks access if sign-in is risky | Use What If to check risk level or exclude admin group |
Conditional Access is a powerful security tool but it can block legitimate admin access if not configured correctly. By identifying the specific policy that targets Office 365 SharePoint Online and adjusting the exclude list to include your admin group, you regain access to the SharePoint admin center. Use the What If tool to test changes before enabling them. For ongoing management, consider creating a separate Conditional Access policy for administrators with appropriate grant controls.