2,589 questions
Conditional Access Policy for Non-Interactive Sign-in
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 99%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
John
46
Reputation points
Hello -
Is there a way to create a policy so that it also applies to non-interactive logins in Azure? We have implemented several conditional access (CA) policies that will restrict users from logging in from outside the country; however, if they bring their mobile device the non-interactive login (or background process) will continue to refresh and be flagged as a risky sign-in, even though the user did not do anything.
I tried looking online but I could not find an article on how to configure a CA policy for non-interactive logins. Any suggestions will be greatly appreciated!
Thank you!!!
Microsoft Security Microsoft Entra Other
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator2022-05-20T07:31:08.52+00:00 Thank you for reaching out to us.
As per your query you want to know if conditional access policy can be configured for non-interactive sign-in requests.Azure conditional access policy does not evaluate the non-interactive sign-in requests.
Non-interactive user sign-ins are sign-ins that are performed by a client app or an OS component on behalf of a user. These sign-ins don't require any interaction or authentication factor from the user. For example, authentication and authorization using refresh and access tokens that don't require a user to enter credentials.
Below are some of the examples when non-interactive sign-in gets triggered,
• A client app uses an OAuth 2.0 refresh token to get an access token.
• A client uses an OAuth 2.0 authorization code to get an access token and refresh token.
• A user performs single sign-on (SSO) to a web or Windows app on an Azure AD joined PC.
• A user signs in to a second Microsoft Office app while they have a session on a mobile device using FOCI (Family of Client IDs).To know more about non-interactive sign-in, you can refer article https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins#non-interactive-user-sign-ins
-
Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator
2022-05-20T07:32:10.313+00:00 Here is the continuation of above explaination
Conditional Access policies are enforced after first-factor authentication is completed. Usually, conditional access policies are not triggered for requests which comes with valid refresh tokens.
Application sends the valid refresh token to get new access token.Usually if mobile application is going to azure AD with valid refresh token, then the request should not be treated as a risk sign-in because the IP address of non-interactive sign-ins doesn't match the actual source IP of where the refresh token request is coming from. Instead, it shows the original IP used for the original token issuance.
Can you let me how is user accessing the application in mobile device?
Let me know if you have any further questions.
-
John 46 Reputation points
2022-05-20T11:57:29.167+00:00 Hi Sandeg -
Thank you for the quick reply!
We use Outlook Mobile on our mobile devices (mixture of both Android and iPhone). The user will sign-in with their company e-mail address, password and need to complete 2FA before they can gain access to the application.
However, the session will remain active for about 24-hours, before they are required to 2FA again. That said, if they do not authenticate after the 24-hours, the account is still synced to the application but the user cannot read the e-mails.
For instance, I use Android and if I do not authenticate, I will still receive a notification that I received a new e-mail, but in order to read it I need to sign-in again.
Do you think that is the culprit for triggering the non-interactive sign-ins? The user doesn't interact with the app, but since their account is still synced to the app that triggers the non-interactive sign-in.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 46%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
benny 26 Reputation points2022-07-14T17:00:11.457+00:00 If non-interactive logins are not supposed to be evaluated by the CA policy, why am I seeing all these failures in the sign-in logs ?
The CA policy that is causing failure is applying to all cloud apps and a specific user group.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 12%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIT%3C/text%3E%3C/svg%3E)
Ian Turner 11 Reputation points2022-09-16T19:20:24.69+00:00 I just implemented Cisco Duo and am also seeing non-interactive sign-ins fail due to Conditional Access policy.
I don't want Duo to prompt for Office desktop SSO, OneDrive desktop SSO or Microsoft Edge SSO.
We are in a Azure Hybrid-Join environment if that matters.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 61%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECE%3C/text%3E%3C/svg%3E)
Christopher Ehrit 1 Reputation point2023-01-04T08:49:47.77+00:00 Have you had any success in finding the root for this behavior? We plan to deliberately block certain users from using non-interactive login in general and are looking for a solution with CAP.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 93%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERD%3C/text%3E%3C/svg%3E)
Rajkumar Duraisamy 0 Reputation points2023-07-18T12:37:20.43+00:00 @Sandeep G (sandeg) It is a wrong update that CA will not validate non-interactive sign-in. Powershell session that passes the credential is a non-interactive example.. if MFA configured through CA, it will prompt for MFA.
Sign in to comment
Sign in to answer