@Leo Johnson Thanks for posting in our Q&A.
For our question, I did some research and found some explanation as below.
Conditional Access policies apply to all user accounts. This includes user accounts that are used as service accounts. Often, a service account that runs unattended can't satisfy the requirements of a Conditional Access policy. For example, multi-factor authentication might be required.
If your organization has these accounts in use in scripts or code, consider replacing them with managed identities. As a temporary workaround, you can exclude these specific accounts from the baseline policy.
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/faqs#does-a-conditional-access-policy-apply-to-service-accounts
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.