Conditional access not working with only user.read scope

I set conditional access policy to block all the app and sign-in. But if my request URL like below only contains the user.read scope for OAuth 2.0, then it can obtain the token successfully without any block error.

But if we add openid in URL, it can pop up the block error as expected.

Could anyone help confirm if it is by design or real bug?

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&response_mode=query&scope=user.read