Policy: Block LegacyAuth - Enabled
Policy: Require MFA for external - Enabled
Policy: Token protections - Audit only
Observation: OAuth delegated token flows were not blocked by current policy mode.
Policy: Require compliant device for admin apps - Enabled
Policy: Block impossible travel (interactive) - Enabled
Policy: Token binding enforcement - Disabled
Policy: Session risk reevaluation - Every 8 hours
Exception Group: Service Integrations (34 objects)
Exception Group: Legacy Scheduling Bots (9 objects)
Note: Some delegated app flows inherit service integration exceptions.