When Microsoft Teams Phone shows Error Code 403, the service usually understands the call request and then refuses it for a defined reason. In plain terms, the block often comes from a policy setting, a license or Enterprise Voice gap, a voice route mismatch, or an SBC and Direct Routing validation issue. In SIP itself, 403 means the server understood the request but refused to fulfill it, so the next step is not guessing; it is finding the exact trigger behind that refusal. [✅Source-1]
Do not treat every 403 as one generic permissions problem. Teams Phone maps this error to several Microsoft response codes, and each one points to a different lane: calling policy, user enablement, voice routing, SBC identity, location-based routing, or compliance recording. That detail changes the fix completely.
Signals That Often Point to User Settings
- Only one or a few users fail
- The user recently changed license, policy, or phone number
- The user cannot place outbound PSTN calls, even though the SBC looks healthy
- The issue appears right after onboarding or tenant-side policy edits
Signals That Often Point to Routing or Trunk Setup
- Many users fail in the same pattern
- Only certain destinations fail, such as international or specific prefixes
- The call reaches the SBC and is rejected there
- The problem started after a new voice route, certificate, or SBC FQDN change
What Error Code 403 Means in Teams Phone
403 sits in the SIP request-failure family, but Teams Phone adds another layer: the Microsoft response code. Administrators troubleshooting these refusals often compare them with other documented Microsoft Teams voice and calling error codes to see whether the block belongs to policy configuration, routing logic, or Direct Routing validation. A plain Forbidden message tells you the call was refused; the Microsoft subcode tells you whether the refusal came from private calling rules, Direct Routing user enablement, voice path selection, call blocking, or recording enforcement.
That matters more than the surface error text. Quite often, administrators lose time in the wrong layer—editing the SBC when the real block lives in a calling policy, or changing a user license when the real issue is a voice route pattern. Read the code first. Then move to the matching layer.
Microsoft 403 Variants You May See
| Microsoft Response Code | Plain Meaning | First Place to Check |
|---|---|---|
| 10199 | Private calling is disabled | Teams calling policy and Make private calls |
| 510532 | No trunk config was found | SBC FQDN, Contact header, tenant association |
| 510546 | No trunk config found by LBR selection criteria | Location-Based Routing and toll-bypass restrictions |
| 510560 | User is not Enterprise Voice enabled | License and Enterprise Voice status |
| 510562 | User is not allowed to make outbound PSTN calls | Direct Routing user enablement and user provisioning |
| 510563 | User is allowed domestic calls only | Domestic-only or international call restrictions |
| 510559 | No viable outbound path | Voice route pattern, PSTN usage, policy assignment |
| 560403 | Call rejected | SBC traces and rejection reason on the SBC side |
| 10553 | Required recorder invite failed | Compliance recording setup and recorder bot reachability |
Microsoft documents these 403 subcodes separately, which is why a single troubleshooting script never fits every 403 case. [✅Source-2]
User-Side Checks Before You Touch Routing
Check License Assignment First
If a user needs their own number to place and receive telephone calls, Microsoft says that user must have licensing that includes Microsoft Teams and the Microsoft 365 Phone System application. If that layer is missing, downstream routing work will not rescue the call. Start with the assigned plans, not the SBC. [✅Source-3]
Check the Calling Policy
The Make private calls setting in Teams calling policy controls calling capability in Teams. If it is off, Teams can refuse the call before routing logic even gets a fair chance. This is the first place to look when the subcode points to 10199 or when calling fails right after a policy change. [✅Source-4]
A useful distinction: a missing dial pad does not equal Error 403, but the same root causes often overlap—license state, Enterprise Voice, calling policy, and PSTN connectivity.
Routing and Number Format Checks
Normalize the Number Before Routing
Normalization rules in Teams dial plans translate what the user dialed into the number format routing can actually use. Microsoft states that these rules use .NET regular expressions, and Teams evaluates them from top to bottom. So a correct rule in the wrong order can still send the call down the wrong path. Test the final normalized output, not just the raw number pattern. [✅Source-5]
There is also a practical format detail many short articles miss: for Direct Routing, Microsoft documents the number value as 3 to 38 digits without common symbols, while an extension uses ;ext= and allows 1 to 12 digits. Tiny formatting errors here can break a route that looks correct at first glance. [✅Source-6]
Match the Voice Route and PSTN Usage
A 510559 “No viable path” case often comes down to one fact: the dialed number does not match a usable voice route for that user. In the Teams admin center, voice routes tie together a dialed number pattern, one or more SBCs, and one or more PSTN usage records. Then the assigned voice routing policy decides which usages the user can actually use. One mismatch is enough. [✅Source-7]
- Confirm the normalized dialed number.
- Check the voice route pattern that should catch it.
- Confirm the route includes the intended SBC.
- Confirm the needed PSTN usage is attached to that route.
- Confirm the user has a voice routing policy that includes that PSTN usage.
If outbound calling fails only for international destinations, check whether the user is limited to domestic calling or whether the international pattern never lands in a permitted PSTN usage. Those two cases look similar on the surface. They are not the same fix.
PowerShell Commands That Surface the Cause Faster
Microsoft’s dial pad access article lays out the exact user prerequisites that often sit behind a 403 case: Teams Phone license, online homing, Enterprise Voice enabled, Make private calls enabled, and a valid PSTN connectivity option. It also provides commands that expose these gaps quickly. Run them before you change routes blindly. [✅Source-8]
(Get-CsOnlineUser -Identity $user).AssignedPlan
This shows whether the user has a Teams Phone-capable plan such as MCOEV with CapabilityStatus set to Enabled.
Get-CsOnlineUser -Identity $user | Select RegistrarPool, HostingProvider Get-CsOnlineUser -Identity $user | Select EnterpriseVoiceEnabled
These two checks tell you whether the user is homed online and whether Enterprise Voice is actually on.
if (($p=Get-CsUserPolicyAssignment -Identity $user -PolicyType TeamsCallingPolicy) -eq $null) {Get-CsTeamsCallingPolicy -Identity Global} else {Get-CsTeamsCallingPolicy -Identity $p.PolicyName}
Get-CsOnlineUser -Identity $user | Select UserValidationErrorsThat pair checks the effective calling policy and any visible provisioning errors. After policy or user-setting changes, a Teams client restart may help, and recent updates can take a few hours to land on the client.
SBC and Direct Routing Checks
Confirm the SBC Identity
If the code points to 510532, inspect the SBC FQDN before anything else. Microsoft requires the domain part of the SBC FQDN to match a domain that is registered in the tenant, and the *.onmicrosoft.com domain is not supported for the SBC FQDN. If the environment uses a subdomain, that subdomain must also be registered in the tenant. [✅Source-9]
Validate Certificates and TLS
Direct Routing will trust only SBC certificates signed by CAs that are part of the Microsoft Trusted Root Certificate Program, and Microsoft also calls for the Server Authentication EKU on the certificate. If the SBC certificate chain is off, expired, revoked, or signed by the wrong CA, 403 troubleshooting can drift into circles until the certificate layer is corrected. [✅Source-10]
Microsoft’s SBC connectivity troubleshooting adds two technical checks that are easy to miss: the TLS version on the SBC should be 1.2 or higher, and when a subdomain used by the SBC is newly activated in Microsoft 365, propagation can take up to 24 hours once the requirements are met. New trunk changes sometimes fail for timing reasons, not for logic reasons. [✅Source-11]
Check Whether the Provider Rejected the Call
A 403 is not always born inside Teams. Microsoft notes that when the failure code is SIP 403 or SIP 404, the PSTN provider may be the party returning the failure. If the provider is not the source, the next stop is usually the SBC vendor and its logs. So, when Teams settings look clean, move down the path instead of rechecking the tenant forever. [✅Source-12]
Less Common 403 Triggers
Review Location-Based Routing
If the environment uses Location-Based Routing, a 403 can be fully expected when the user’s site, gateway, and calling policy combination blocks toll bypass. Microsoft’s setup path spans network sites, gateways, and the calling policy option named Prevent toll bypass and send calls through the PSTN. Miss one layer, and route selection can fail even when the route itself looks fine. [✅Source-13]
Review Inbound Blocking Rules
For inbound 403 cases tied to blocked callers, check whether tenant-wide block patterns are matching more than intended. Microsoft manages this layer through PowerShell, not the Teams admin center, and the patterns use regular expressions. A newly added or removed block pattern can also take up to 24 hours to become active, so immediate retesting may mislead you. [✅Source-14]
Review Compliance Recording
If the subcode is 10553, the call leg was canceled because an invite to a required recorder failed. Microsoft supports this through certified third-party compliance recording solutions. In that case, the real check is not ordinary call routing first; it is whether the recorder bot and recording path are healthy and reachable for that call flow. [✅Source-15]
A Fix Order That Cuts Rework
When you need a clean order, follow the same direction Microsoft uses for Direct Routing user enablement: assign the right Teams Phone license, make sure the user is homed online, configure the phone number and Enterprise Voice, and only then move into deeper routing checks. Start small. It saves edits you may need to undo later. [✅Source-16]
- Read the exact Microsoft response code.
- Confirm the user has the right license, Enterprise Voice, and calling policy.
- Verify the normalized number that leaves the dial plan.
- Match that number to a voice route, then to a PSTN usage, then to the user’s voice routing policy.
- Check the SBC FQDN, certificate chain, and TLS version.
- If the SBC and tenant look correct, inspect whether the provider or a recording requirement rejected the call.
- After changes, retest with the same destination and the same user before you widen the scope.
A short practical rule: if only one user fails, begin with user state. If many users fail for the same pattern, begin with routing, trunk identity, or the provider path. Works more often than not.
FAQ
Does Teams Phone Error Code 403 Always Mean a Permissions Problem?
No. 403 means the call was refused, but the refusal can come from policy, license state, Enterprise Voice, voice routing, Location-Based Routing, SBC identity, or the provider path.
Why Does One User Get 403 While Others Can Call Normally?
That pattern usually points to the user layer: license assignment, Enterprise Voice, calling policy, PSTN connectivity entitlement, or a user-specific voice routing policy.
Can Wrong Number Format Trigger Error 403?
Yes. A call can fail with 403 when the normalized number does not match a usable voice route pattern or when the final format is wrong for Direct Routing. Always test the normalized output, not just the number the user typed.
Can Location-Based Routing Cause a 403?
Yes. If Location-Based Routing or Prevent toll bypass blocks that call path for the user’s site and gateway combination, a 403 can be the expected result.
Can SBC Certificate Problems Show Up as 403?
Yes. If the certificate chain, trusted CA, EKU, or TLS version is wrong, Direct Routing validation can fail and the call path can break before routing behaves as expected.
How Long Should I Wait After a Change Before Retesting?
For user and policy changes, allow time for settings to land and restart the Teams client. For some tenant-wide items, such as inbound blocking pattern changes or certain domain activation cases, Microsoft documents that propagation can take up to 24 hours.