diff --git a/passbook/flows/templates/flows/denied_shell.html b/passbook/flows/templates/flows/denied_shell.html
new file mode 100644
index 000000000..dc768c21d
--- /dev/null
+++ b/passbook/flows/templates/flows/denied_shell.html
@@ -0,0 +1,57 @@
+{% extends 'login/base.html' %}
+
+{% load static %}
+{% load i18n %}
+{% load passbook_utils %}
+
+{% block card_title %}
+{% trans 'Permission denied' %}
+{% endblock %}
+
+{% block title %}
+{% trans 'Permission denied' %}
+{% endblock %}
+
+{% block card %}
+    <form method="POST" class="pf-c-form">
+        {% csrf_token %}
+        {% include 'partials/form.html' %}
+        <div class="pf-c-form__group">
+            <p>
+                <i class="pf-icon pf-icon-error-circle-o"></i>
+                {% trans 'Access denied' %}
+            </p>
+            {% if error %}
+            <hr>
+            <p>
+                {{ error }}
+            </p>
+            {% endif %}
+            {% if policy_result %}
+            <hr>
+            <em>
+                {% trans 'Explanation:' %}
+            </em>
+            <ul class="pf-c-list">
+                {% for source_result in policy_result.source_results %}
+                <li>
+                    {% blocktrans with name=source_result.source_policy.name result=source_result.passing %}
+                    Policy '{{ name }}' returned result '{{ result }}'
+                    {% endblocktrans %}
+                    {% if source_result.messages %}
+                    <ul class="pf-c-list">
+                        {% for message in source_result.messages %}
+                            <li>{{ message }}</li>
+                        {% endfor %}
+                    </ul>
+                    {% endif %}
+                </li>
+                {% endfor %}
+            </ul>
+            {% endif %}
+        </div>
+        {% if 'back' in request.GET %}
+        <a href="{% back %}" class="btn btn-primary btn-block btn-lg">{% trans 'Back' %}</a>
+        {% endif %}
+    </form>
+{% endblock %}
diff --git a/passbook/flows/views.py b/passbook/flows/views.py
index b2f77ec2d..1a6ab4d75 100644
--- a/passbook/flows/views.py
+++ b/passbook/flows/views.py
@@ -187,9 +187,11 @@ class FlowExecutorView(View):
         is a superuser."""
         LOGGER.debug("f(exec): Stage invalid", flow_slug=self.flow.slug)
         self.cancel()
-        response = AccessDeniedResponse(self.request)
+        response = AccessDeniedResponse(
+            self.request, template="flows/denied_shell.html"
+        )
         response.error_message = error_message
-        return response
+        return to_stage_response(self.request, response)
 
     def cancel(self):
         """Cancel current execution and return a redirect"""
diff --git a/passbook/policies/http.py b/passbook/policies/http.py
index f8c668060..d2f1b9c74 100644
--- a/passbook/policies/http.py
+++ b/passbook/policies/http.py
@@ -18,10 +18,9 @@ class AccessDeniedResponse(TemplateResponse):
     error_message: Optional[str] = None
     policy_result: Optional[PolicyResult] = None
 
-    def __init__(self, request: HttpRequest) -> None:
-        # For some reason pyright complains about keyword argument usage here
-        # pyright: reportGeneralTypeIssues=false
-        super().__init__(request=request, template="policies/denied.html")
+    # pyright: reportGeneralTypeIssues=false
+    def __init__(self, request: HttpRequest, template="policies/denied.html") -> None:
+        super().__init__(request, template)
         self.title = _("Access denied")
 
     def resolve_context(