Successful sign-ins from blocked countries?
This brings us to the core of identity governance in Microsoft Entra.
Non-interactive sign-ins are often skipped from conditional access and in the Application - Sign-in Locations we do show all successful sign-ins regardless if they're interactive or non-interactive.
If you filter on interactive sign-ins in the report you can verify your conditional access policies. But remember that non-interactive sign-ins re-uses a valid token.
AI put together a well-documented, community-verified breakdown of common flows that either bypass CA completely or only partially evaluate it.
✅ Conditional Access Coverage Overview
Sign-in Type
Conditional Access Applies?
Notes
Interactive user sign-in (UI prompt)
✅ Yes
Full evaluation of CA policies
Non-interactive user sign-in
⚠️ Partially / No
Often skipped unless CA conditions are met to force reauthentication
Service principal (workload identity)
⚠️ Only with workload CA policies
Must be explicitly configured
Token refresh using refresh token
❌ No
Reuses valid token, no re-evaluation unless forced
Background apps / mobile clients
❌ No
Teams mobile, Outlook, etc. silently renew tokens
Brokered flows (e.g. MSAL via broker)
⚠️ Partially
Some CA policies enforced, but location/Risk may be skipped
Device registration (PRT issuing)
⚠️ Partial / Outside CA scope
Conditional Access not evaluated at this stage
OAuth2 client credentials flow
❌ No
No user context = CA not evaluated
SAML token federation
⚠️ Partial, if CA not scoped right
CA applies only if cloud app is covered
🚫 Common Non-Interactive Flows That Bypass or Partially Apply Conditional Access
Service / App
Flow Type
CA Enforcement
Notes
Microsoft Authentication Broker
Brokered token renewal
❌ Often skipped
Used in mobile and hybrid auth
Microsoft Mobile Application Management
App-token + MAM check-in
❌ Often skipped
From Intune-managed mobile apps
Microsoft Teams mobile client
Silent token renewal
❌ Skipped unless token expires or session control used
Can appear from blocked countries
Azure AD Graph / Microsoft Graph (background)
Refresh/token reuse
❌ Usually skipped
Especially when used by services, background jobs
Exchange ActiveSync (legacy)
Basic/legacy auth
❌ Not CA compatible
Must be blocked via legacy auth CA
Outlook mobile background sync
Refresh, brokered auth
❌ Mostly skipped
Appears in non-interactive logs
Power BI dataset refresh (using SPN)
Service principal
⚠️ Requires workload CA
No user context by default
Azure Automation Runbooks (with SPN)
Client credentials
❌ Skips CA completely
Needs workload identity CA to control
Device Registration (DSReg)
PRT issuance via WS-Trust
❌ Outside CA scope
Happens before CA is evaluated
Windows Hello for Business
PRT or token reuse
❌ No CA enforcement
Happens below auth stack
🛡️ What does enforce Conditional Access?
CA is only evaluated on:
Interactive sign-ins via browser or modern authentication (OAuth2 Authorization Code Flow)
Token issuance events that require a fresh auth
Apps explicitly targeted by CA
Session controls (like Sign-in Frequency, CAE)
🔍 How to monitor these flows
Use the Bsure Insights Application - Sign-in Locations report and filter on non-interactive sign-ins. You can create your own favourite selecting only apps and countries you want to monitor closely.
A manual option is to use Microsoft Entra ID > Sign-in logs with the following filters:
Sign-in type = Non-interactive
Client app = Mobile apps and desktop clients or Other clients
Add Location to see IP or country
Conditional Access = Not applied or Report-only
💡 Recommendations
🔁 1. Enable Sign-in Frequency + Token Lifetime Policies
Force reauthentication at regular intervals to make Conditional Access re-evaluation more predictable.
🔄 2. Enable Continuous Access Evaluation (CAE)
Allows near-real-time revocation of access when location, risk, or device state changes — even after token issuance.
🛠 3. Use Conditional Access for Workload Identities (Service Principals / Apps)
Helps enforce CA on non-user service-to-service auth flows (like Power BI service principals, automation, Graph API jobs, etc.)
🧠 Note: Workload identity CA requires Microsoft Entra Workload ID license that has a list price of $3.00 workload identity/month, paid yearly (annual commitment)
🧼 4. Monitor Sign-ins (especially Non-Interactive ones)
Track token reuse, service principal usage, and mobile clients that bypass CA.
Monitor sign-ins using Bsure Insights reports:
Non-interactive user sign-ins : Application - Sign-in Locations
Service Principal usage: Security - Service Principals
🔒 5. Block Legacy Authentication
Legacy protocols (like SMTP, POP, IMAP, basic auth) bypass CA entirely and should be blocked unless required.
👁 6. Leverage Microsoft Defender for Cloud Apps (optional but powerful)
Provides real-time session controls, detection of risky activity in apps like Teams, Graph, Exchange — even when CA doesn’t fire.
Last updated
Was this helpful?