Successful sign-ins from blocked countries?
This brings us to the core of identity governance in Microsoft Entra.
Non-interactive sign-ins are often skipped from conditional access and in the Application - Sign-in Locations we do show all successful sign-ins regardless if they're interactive or non-interactive.
If you filter on interactive sign-ins in the report you can verify your conditional access policies. But remember that non-interactive sign-ins re-uses a valid token.
AI put together a well-documented, community-verified breakdown of common flows that either bypass CA completely or only partially evaluate it.
โ
Conditional Access Coverage Overview
Sign-in Type
Conditional Access Applies?
Notes
Interactive user sign-in (UI prompt)
โ Yes
Full evaluation of CA policies
Non-interactive user sign-in
โ ๏ธ Partially / No
Often skipped unless CA conditions are met to force reauthentication
Service principal (workload identity)
โ ๏ธ Only with workload CA policies
Must be explicitly configured
Token refresh using refresh token
โ No
Reuses valid token, no re-evaluation unless forced
Background apps / mobile clients
โ No
Teams mobile, Outlook, etc. silently renew tokens
Brokered flows (e.g. MSAL via broker)
โ ๏ธ Partially
Some CA policies enforced, but location/Risk may be skipped
Device registration (PRT issuing)
โ ๏ธ Partial / Outside CA scope
Conditional Access not evaluated at this stage
OAuth2 client credentials flow
โ No
No user context = CA not evaluated
SAML token federation
โ ๏ธ Partial, if CA not scoped right
CA applies only if cloud app is covered
๐ซ Common Non-Interactive Flows That Bypass or Partially Apply Conditional Access
Service / App
Flow Type
CA Enforcement
Notes
Microsoft Authentication Broker
Brokered token renewal
โ Often skipped
Used in mobile and hybrid auth
Microsoft Mobile Application Management
App-token + MAM check-in
โ Often skipped
From Intune-managed mobile apps
Microsoft Teams mobile client
Silent token renewal
โ Skipped unless token expires or session control used
Can appear from blocked countries
Azure AD Graph / Microsoft Graph (background)
Refresh/token reuse
โ Usually skipped
Especially when used by services, background jobs
Exchange ActiveSync (legacy)
Basic/legacy auth
โ Not CA compatible
Must be blocked via legacy auth CA
Outlook mobile background sync
Refresh, brokered auth
โ Mostly skipped
Appears in non-interactive logs
Power BI dataset refresh (using SPN)
Service principal
โ ๏ธ Requires workload CA
No user context by default
Azure Automation Runbooks (with SPN)
Client credentials
โ Skips CA completely
Needs workload identity CA to control
Device Registration (DSReg)
PRT issuance via WS-Trust
โ Outside CA scope
Happens before CA is evaluated
Windows Hello for Business
PRT or token reuse
โ No CA enforcement
Happens below auth stack
๐ก๏ธ What does enforce Conditional Access?
CA is only evaluated on:
Interactive sign-ins via browser or modern authentication (OAuth2 Authorization Code Flow)
Token issuance events that require a fresh auth
Apps explicitly targeted by CA
Session controls (like Sign-in Frequency, CAE)
๐ How to monitor these flows
Use the Bsure Insights Application - Sign-in Locations report and filter on non-interactive sign-ins. You can create your own favourite selecting only apps and countries you want to monitor closely.
A manual option is to use Microsoft Entra ID > Sign-in logs with the following filters:
Sign-in type = Non-interactive
Client app = Mobile apps and desktop clients or Other clients
Add Location to see IP or country
Conditional Access = Not applied or Report-only
๐ก Recommendations
๐ 1. Enable Sign-in Frequency + Token Lifetime Policies
Force reauthentication at regular intervals to make Conditional Access re-evaluation more predictable.
๐ 2. Enable Continuous Access Evaluation (CAE)
Allows near-real-time revocation of access when location, risk, or device state changes โ even after token issuance.
๐ Configure CAE
๐ 3. Use Conditional Access for Workload Identities (Service Principals / Apps)
Helps enforce CA on non-user service-to-service auth flows (like Power BI service principals, automation, Graph API jobs, etc.)
๐ง Note: Workload identity CA requires Microsoft Entra Workload ID license that has a list price of $3.00 workload identity/month, paid yearly (annual commitment)
๐งผ 4. Monitor Sign-ins (especially Non-Interactive ones)
Track token reuse, service principal usage, and mobile clients that bypass CA.
Monitor sign-ins using Bsure Insights reports:
Non-interactive user sign-ins : Application - Sign-in Locations
Service Principal usage: Security - Service Principals
๐ 5. Block Legacy Authentication
Legacy protocols (like SMTP, POP, IMAP, basic auth) bypass CA entirely and should be blocked unless required.
๐ 6. Leverage Microsoft Defender for Cloud Apps (optional but powerful)
Provides real-time session controls, detection of risky activity in apps like Teams, Graph, Exchange โ even when CA doesnโt fire.
Last updated
Was this helpful?