Do Conditional Access policies evaluate non-interactive sign-ins?

Question

We have a CA policy designed to block users from logging in outside the EU, however I can see a user has managed to successfully authenticate non-interactively from outside the EU on a mobile device. There seems to be a conflict of opinion online about this matter, and i cant find a definitive statement from Microsoft which describes how CA works in this scenario. Can anyone explain or point to reliable information?

Answer 1

Hi @Gareth Roberts

Thank you for asking this question on the **Microsoft Q&A Platform. **

As per your query, you want to know if a conditional access policy can be configured for non-interactive sign-in requests.

Azure conditional access policy does evaluate the non-interactive sign-in requests.

Non-interactive user sign-ins are sign-ins that are performed by a client app or an OS component on behalf of a user. These sign-ins don't require any interaction or authentication factor from the user. For example, authentication and authorization using refresh and access tokens that don't require a user to enter credentials.

Below are some of examples when non-interactive sign-in gets triggered,

• A client app uses an OAuth 2.0 refresh token to get an access token.
• A client uses an OAuth 2.0 authorization code to get an access token and refresh token.
• A user performs single sign-on (SSO) to a web or Windows app on an Azure AD joined PC (without providing an authentication factor or interacting with an Azure AD prompt).
• A user signs in to a second Microsoft Office app while they have a session on a mobile device using FOCI (Family of Client IDs).

To know more about non-interactive sign-in, you can refer article https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins#non-interactive-user-sign-ins

Source: https://learn.microsoft.com/en-us/answers/questions/856602/conditional-access-policy-for-non-interactive-sign.html

Hope this helps!

----------