Outlook users see a sign-in failure with the message “You cannot access this resource” or “Connection to Microsoft Exchange was lost.” The root cause is often a Conditional Access policy in Microsoft Entra ID (formerly Azure Active Directory) that blocks the specific authentication request. This article explains how to identify which policy is blocking the sign-in, how to review the sign-in logs in the Microsoft Entra admin center, and how to test individual policies to find the exact rule causing the block.
Conditional Access policies evaluate sign-in requests based on conditions like device compliance, location, and app type. When Outlook fails to authenticate, the error message rarely names the policy. You must use the Entra sign-in logs and the What If tool to trace the block to a specific policy. This guide covers both methods so you can resolve the issue without disabling all security policies.
You will learn how to access the sign-in logs, filter for failed Outlook sign-ins, and interpret the Conditional Access policy details. You will also see how to use the What If tool to simulate the Outlook sign-in and see exactly which policies apply and which ones deny access. Finally, the article covers common configuration mistakes that trigger blocks even when the policy seems correct.