Successful sign-ins from blocked countries?
This brings us to the core of identity governance in Microsoft Entra.
Non-interactive sign-ins are often skipped from conditional access and in the Application - Sign-in Locations we do show all successful sign-ins regardless if they're interactive or non-interactive.
If you filter on interactive sign-ins in the report you can verify your conditional access policies. But remember that non-interactive sign-ins re-uses a valid token.
AI put together a well-documented, community-verified breakdown of common flows that either bypass CA completely or only partially evaluate it.
β
Conditional Access Coverage Overview
Sign-in Type
Conditional Access Applies?
Notes
Interactive user sign-in (UI prompt)
β Yes
Full evaluation of CA policies
Non-interactive user sign-in
β οΈ Partially / No
Often skipped unless CA conditions are met to force reauthentication
Service principal (workload identity)
β οΈ Only with workload CA policies
Must be explicitly configured
Token refresh using refresh token
β No
Reuses valid token, no re-evaluation unless forced
Background apps / mobile clients
β No
Teams mobile, Outlook, etc. silently renew tokens
Brokered flows (e.g. MSAL via broker)
β οΈ Partially
Some CA policies enforced, but location/Risk may be skipped
Device registration (PRT issuing)
β οΈ Partial / Outside CA scope
Conditional Access not evaluated at this stage
OAuth2 client credentials flow
β No
No user context = CA not evaluated
SAML token federation
β οΈ Partial, if CA not scoped right
CA applies only if cloud app is covered
π« Common Non-Interactive Flows That Bypass or Partially Apply Conditional Access
Service / App
Flow Type
CA Enforcement
Notes
Microsoft Authentication Broker
Brokered token renewal
β Often skipped
Used in mobile and hybrid auth
Microsoft Mobile Application Management
App-token + MAM check-in
β Often skipped
From Intune-managed mobile apps
Microsoft Teams mobile client
Silent token renewal
β Skipped unless token expires or session control used
Can appear from blocked countries
Azure AD Graph / Microsoft Graph (background)
Refresh/token reuse
β Usually skipped
Especially when used by services, background jobs
Exchange ActiveSync (legacy)
Basic/legacy auth
β Not CA compatible
Must be blocked via legacy auth CA
Outlook mobile background sync
Refresh, brokered auth
β Mostly skipped
Appears in non-interactive logs
Power BI dataset refresh (using SPN)
Service principal
β οΈ Requires workload CA
No user context by default
Azure Automation Runbooks (with SPN)
Client credentials
β Skips CA completely
Needs workload identity CA to control
Device Registration (DSReg)
PRT issuance via WS-Trust
β Outside CA scope
Happens before CA is evaluated
Windows Hello for Business
PRT or token reuse
β No CA enforcement
Happens below auth stack
π‘οΈ What does enforce Conditional Access?
CA is only evaluated on:
Interactive sign-ins via browser or modern authentication (OAuth2 Authorization Code Flow)
Token issuance events that require a fresh auth
Apps explicitly targeted by CA
Session controls (like Sign-in Frequency, CAE)
π How to monitor these flows
Use the Bsure Insights Application - Sign-in Locations report and filter on non-interactive sign-ins. You can create your own favourite selecting only apps and countries you want to monitor closely.
A manual option is to use Microsoft Entra ID > Sign-in logs with the following filters:
Sign-in type = Non-interactive
Client app = Mobile apps and desktop clients or Other clients
Add Location to see IP or country
Conditional Access = Not applied or Report-only
π‘ Recommendations
π 1. Enable Sign-in Frequency + Token Lifetime Policies
Force reauthentication at regular intervals to make Conditional Access re-evaluation more predictable.
π 2. Enable Continuous Access Evaluation (CAE)
Allows near-real-time revocation of access when location, risk, or device state changes β even after token issuance.
π Configure CAE
π 3. Use Conditional Access for Workload Identities (Service Principals / Apps)
Helps enforce CA on non-user service-to-service auth flows (like Power BI service principals, automation, Graph API jobs, etc.)
π§ Note: Workload identity CA requires Microsoft Entra Workload ID license that has a list price of $3.00 workload identity/month, paid yearly (annual commitment)
π§Ό 4. Monitor Sign-ins (especially Non-Interactive ones)
Track token reuse, service principal usage, and mobile clients that bypass CA.
Monitor sign-ins using Bsure Insights reports:
Non-interactive user sign-ins : Application - Sign-in Locations
Service Principal usage: Security - Service Principals
π 5. Block Legacy Authentication
Legacy protocols (like SMTP, POP, IMAP, basic auth) bypass CA entirely and should be blocked unless required.
π 6. Leverage Microsoft Defender for Cloud Apps (optional but powerful)
Provides real-time session controls, detection of risky activity in apps like Teams, Graph, Exchange β even when CA doesnβt fire.
Was this helpful?