linkVS403463: The conditional access policy defined by your Microsoft Entra administrator has failed.
The PAT is completely blocked by the conditional access policy set up in your Azure Organization or Microsoft Entra settings.
This is an Azure/Entra configuration issue that needs to be resolved by an admin of the Azure tenant. Here's what to check:
link1. Check Entra Sign-in Logs for the exact failure
This is the fastest way to pinpoint it:
Microsoft Entra admin center > Monitoring > Sign-in logs > Non-interactive sign-ins
Filter by:
User: the PAT owner's email
Application: "Azure DevOps"
Time: around the time of the failed request
The log entry will show:
Conditional Access tab: exactly which policy failed and why
Location tab: what IP/location Entra saw for the request
Device info tab: what device information was (or wasn't) provided
The "Conditional Access" tab will list each policy with a status of Success, Failure, or Not applied — the one with Failure is your culprit.
link2. Identify the blocking policy in Entra ID
The admin of the Azure tenant needs to go to:
Microsoft Entra admin center > Protection > Conditional Access > Policies
Look for any policy that:
Targets "Azure DevOps" as a cloud app (under Assignments > Target resources)
Has conditions the PAT can't satisfy: MFA, device compliance, Hybrid Azure AD joined device, etc.
Has Grant set to "Block access" or "Require multifactor authentication"
link3. Check the Azure DevOps org setting for IP-fencing on PATs
Go to Azure DevOps > Organization Settings > Policies and look for:
"Enable IP Conditional Access policy validation on non-interactive flows"
If this is enabled, then IP-based conditional access policies are enforced on all PAT API calls. The GitClear server's IP must be in the Entra named locations allowlist. Important: this only applies to PATs created after the setting was enabled.
Contact us at support@gitclear.com and we can provide you the list of IPs to allow.
link
linkCommon fixes once identified
Root cause | Fix |
IP not in named locations | Add the server's public IP to Entra > Protection > Named Locations, and ensure the Conditional Access Policy trusts that location |
MFA required | PATs can't do MFA. Either exclude "Azure DevOps" from the MFA policy for service accounts, or switch to an OAuth/Entra service principal |
Device compliance required | PATs have no device context. Exclude non-interactive flows |
Sign-in frequency policy | PAT was created before the policy; revoke and create a new one |
For any other issue please contact us at support@gitclear.com with any information regarding your flow and we'll provide the adequate guidance to help you set it up.