Entra ‐ Azure AD Conditional Access Policies and non‐interactive authentication request - ToddMaxey/Technical-Documentation GitHub Wiki

In Azure Active Directory (Azure AD), conditional access policies do not directly apply to non-interactive authentication requests. Let me explain further:

Conditional Access Policies:

  • Conditional Access policies in Azure AD allow you to define rules based on various conditions (such as user location, device state, application, etc.) to control access to your resources.

  • These policies are typically enforced after the first-factor authentication (such as username/password or MFA) is completed.

  • They help enhance security by ensuring that access is granted or denied based on specific criteria.

Non-Interactive Sign-In Requests:

  • Non-interactive sign-ins are performed by client apps or OS components on behalf of a user.

  • These sign-ins do not require any interaction or authentication factor from the user..

  • Examples of non-interactive sign-ins include:

  1. Using an OAuth 2.0 refresh token to obtain an access token.

  2. Performing single sign-on (SSO) to a web or Windows app on an Azure AD-joined PC.

  3. Signing in to a second Microsoft Office app while having an active session on a mobile device using FOCI (Family of Client IDs).

Why Conditional Access Policies Don’t Evaluate Non-Interactive Sign-Ins:

  • Azure conditional access policies are not triggered for requests that come with valid refresh tokens.

  • When a mobile application goes to Azure AD with a valid refresh token, the request is not treated as a risky sign-in because the IP address of non-interactive sign-ins doesn’t match the actual source IP of where the refresh token request is coming from. Instead, it shows the original IP used for the original token issuance.

Alternative Approaches:

  • If you need to enforce security policies for non-interactive sign-ins, consider other approaches:

  1. Monitoring and Alerts: Set up monitoring and alerts to detect unusual or suspicious behavior related to non-interactive sign-ins.

  2. Application-Specific Controls: Some applications allow you to configure specific controls for non-interactive sign-ins within the app itself.

  3. Custom Solutions: Depending on your requirements, you might need to build custom solutions or use third-party tools to address non-interactive sign-in scenarios.

Customer facing reference: https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins