# Successful sign-ins from blocked countries? This brings us to the core of identity governance in Microsoft Entra. Non-interactive sign-ins are often skipped from conditional access and in the [Application - Sign-in Locations ](/user-guides/users/sign-in-locations.md)we do show all successful sign-ins regardless if they're interactive or non-interactive. If you filter on interactive sign-ins in the report you can verify your conditional access policies. But remember that non-interactive sign-ins re-uses a valid token. AI put together a **well-documented, community-verified breakdown** of common flows that either **bypass CA completely** or **only partially evaluate it**. *** ### ✅ **Conditional Access Coverage Overview** | **Sign-in Type** | **Conditional Access Applies?** | **Notes** | | ----------------------------------------- | ---------------------------------- | -------------------------------------------------------------------- | | **Interactive user sign-in (UI prompt)** | ✅ Yes | Full evaluation of CA policies | | **Non-interactive user sign-in** | ⚠️ Partially / No | Often skipped unless CA conditions are met to force reauthentication | | **Service principal (workload identity)** | ⚠️ Only with workload CA policies | Must be explicitly configured | | **Token refresh using refresh token** | ❌ No | Reuses valid token, no re-evaluation unless forced | | **Background apps / mobile clients** | ❌ No | Teams mobile, Outlook, etc. silently renew tokens | | **Brokered flows (e.g. MSAL via broker)** | ⚠️ Partially | Some CA policies enforced, but location/Risk may be skipped | | **Device registration (PRT issuing)** | ⚠️ Partial / Outside CA scope | Conditional Access not evaluated at this stage | | **OAuth2 client credentials flow** | ❌ No | No user context = CA not evaluated | | **SAML token federation** | ⚠️ Partial, if CA not scoped right | CA applies only if cloud app is covered | *** ### 🚫 **Common Non-Interactive Flows That Bypass or Partially Apply Conditional Access** | **Service / App** | **Flow Type** | **CA Enforcement** | Notes | | ------------------------------------------------- | ------------------------- | ------------------------------------------------------ | ------------------------------------------------- | | **Microsoft Authentication Broker** | Brokered token renewal | ❌ Often skipped | Used in mobile and hybrid auth | | **Microsoft Mobile Application Management** | App-token + MAM check-in | ❌ Often skipped | From Intune-managed mobile apps | | **Microsoft Teams mobile client** | Silent token renewal | ❌ Skipped unless token expires or session control used | Can appear from blocked countries | | **Azure AD Graph / Microsoft Graph (background)** | Refresh/token reuse | ❌ Usually skipped | Especially when used by services, background jobs | | **Exchange ActiveSync (legacy)** | Basic/legacy auth | ❌ Not CA compatible | Must be blocked via legacy auth CA | | **Outlook mobile background sync** | Refresh, brokered auth | ❌ Mostly skipped | Appears in non-interactive logs | | **Power BI dataset refresh (using SPN)** | Service principal | ⚠️ Requires workload CA | No user context by default | | **Azure Automation Runbooks (with SPN)** | Client credentials | ❌ Skips CA completely | Needs workload identity CA to control | | **Device Registration (DSReg)** | PRT issuance via WS-Trust | ❌ Outside CA scope | Happens before CA is evaluated | | **Windows Hello for Business** | PRT or token reuse | ❌ No CA enforcement | Happens below auth stack | *** ### 🛡️ What *does* enforce Conditional Access? CA is only evaluated on: * **Interactive sign-ins** via browser or modern authentication (OAuth2 Authorization Code Flow) * **Token issuance events** that **require a fresh auth** * **Apps explicitly targeted by CA** * **Session controls** (like Sign-in Frequency, CAE) *** ### 🔍 How to monitor these flows Use the Bsure Insights Application - Sign-in Locations report and filter on non-interactive sign-ins.\ You can create your own favourite selecting only apps and countries you want to monitor closely. A manual option is to use **Microsoft Entra ID > Sign-in logs** with the following filters: * **Sign-in type = Non-interactive** * **Client app = Mobile apps and desktop clients** or **Other clients** * Add **Location** to see IP or country * **Conditional Access = Not applied** or **Report-only** *** ### 💡 **Recommendations** #### 🔁 1. **Enable Sign-in Frequency + Token Lifetime Policies** Force reauthentication at regular intervals to make Conditional Access re-evaluation more predictable. * 🔗 [Configure sign-in frequency in Conditional Access](https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-session-lifetime#sign-in-frequency) * 🔗 [Session management and token lifetimes](https://learn.microsoft.com/en-us/entra/identity-platform/configurable-token-lifetimes) *** #### 🔄 2. **Enable Continuous Access Evaluation (CAE)** Allows near-real-time revocation of access when location, risk, or device state changes — even **after** token issuance. * 🔗 [What is Continuous Access Evaluation (CAE)?](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation) * 🔗 [Configure CAE](https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-continuous-access-evaluation) *** #### 🛠 3. **Use Conditional Access for Workload Identities (Service Principals / Apps)** Helps enforce CA on non-user service-to-service auth flows (like Power BI service principals, automation, Graph API jobs, etc.) * 🔗 [Conditional Access for workload identities overview](https://learn.microsoft.com/en-us/entra/identity/conditional-access/workload-identities) * 🔗 [Create Conditional Access policies for workload identities](https://learn.microsoft.com/en-us/entra/identity/conditional-access/workload-identities-howto) > 🧠 *Note: Workload identity CA requires* Microsoft Entra Workload ID license that has a list price of $3.00 workload identity/month, paid yearly **(annual commitment)** *** #### 🧼 4. **Monitor Sign-ins (especially Non-Interactive ones)** Track token reuse, service principal usage, and mobile clients that bypass CA. * Monitor sign-ins using Bsure Insights reports: * Non-interactive user sign-ins : [Application - Sign-in Locations](/user-guides/users/sign-in-locations.md) * Service Principal usage:[ Security - Service Principals](/user-guides/security/service-principals.md) * 🔗 [Monitor sign-ins in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins) * 🔗 [Sign-in logs explained: Interactive vs Non-interactive](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins#sign-in-types) *** #### 🔒 5. **Block Legacy Authentication** Legacy protocols (like SMTP, POP, IMAP, basic auth) bypass CA entirely and should be blocked unless required. * 🔗 [Block legacy authentication with Conditional Access](https://learn.microsoft.com/en-us/entra/identity/conditional-access/block-legacy-authentication) *** #### 👁 6. **Leverage Microsoft Defender for Cloud Apps (optional but powerful)** Provides real-time session controls, detection of risky activity in apps like Teams, Graph, Exchange — even when CA doesn’t fire. * 🔗 [Integrate Microsoft Defender for Cloud Apps with Conditional Access](https://learn.microsoft.com/en-us/defender-cloud-apps/conditional-access-app-control) * 🔗 [Use Defender for Cloud Apps to block risky sessions](https://learn.microsoft.com/en-us/defender-cloud-apps/session-control) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.bsure.io/user-guides/applications/sign-in-locations/successful-sign-ins-from-blocked-countries.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.