Started receiving excessive interactive sign-in events all of a sudden and need it to stop.

Question

Started receiving excessive interactive sign-in events all of a sudden and need it to stop.

Doug Greene 25

I understand about refresh tokens and all; but these are non-interactive events showing up on the interactive portion of the sign-in log. It was not always this way - only started a week or so ago. Looking for a setting perhaps to revert to the original scenario. See attachment.

Thank you.

Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator

2025-02-26T17:51:28.5666667+00:00

not seeing any attachment
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-02-26T18:54:07.0833333+00:00

Hello Doug Greene,

Thank you for posting your query on Microsoft Q&A.

Noninteractive authentication can only be used after an interactive authentication has taken place. During noninteractive authentication, the user does not input logon data, instead, previously established credentials are used.

If you share the screenshot of the non-interactive sign-ins showing in interactive sign-ins blade, it will be helpful for us to diagnose the issue.

You added it is intermittent. Is this happening to a single user or application
Doug Greene 25 Reputation points

2025-02-26T19:07:00.6+00:00

Screenshot 2025-02-26 114744.png

Sorry - missed on the attachment in first round.

Not intermittent. All the time for one user - me. Based on response here so far, it sucks to be me because there's no way to stop it. The fact that it never used to happen, now it does - implies a change on the Microsoft end. don'tcha just love a great explanation instead of a solution? :)

Thank you all for your replies.

D
Doug Greene 25 Reputation points

2025-02-26T19:23:00.3233333+00:00

Screenshot 2025-02-26 114744.png

Not intermittent. Shows all the time. On my account only. Which is a global admin. My issue is with the report itself - why did it start showing the extra stuff now (after at least a year)? All well and good if Microsoft, in its wisdom, made a change; but I thought i would ask anyway.

D
SrideviM 5,715 Reputation points Microsoft External Staff Moderator

2025-02-27T05:19:07.2633333+00:00

Hello Doug Greene,

I understand you're seeing non-interactive events in the interactive sign-in log, and I get how frustrating that can be—especially since it wasn’t happening before.

There are some special considerations in how Microsoft categorizes sign-ins in the logs. In the past, some non-interactive sign-ins, such as those from Exchange clients, were included in the interactive logs because there wasn’t a separate category for them. Even after Microsoft introduced a non-interactive sign-in log, certain types of sign-ins, including FIDO2 security keys, still appear in the interactive logs due to how the system was originally designed. These sign-ins might look interactive because they display browser details and credential type, even though they technically aren’t.

Since this started showing up for you recently, Microsoft likely made a change that now includes these events in the report. Unfortunately, sign-in logs are system-generated and can’t be changed or removed, so there’s no way to switch it back.

Microsoft has documented this behavior in their interactive sign-in logs article, explaining why some non-interactive events still show up in the interactive report. You can check it out here:

This seems to be more of a reporting adjustment rather than something affecting security. I know unexpected changes like this can be frustrating, but hope this helps clear things up!

Reference: Interactive user sign-in logs - Microsoft Entra ID

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
SrideviM 5,715 Reputation points Microsoft External Staff Moderator

2025-02-27T09:00:36.5733333+00:00

Hello Doug Greene,

Regarding excessive logs, Microsoft has recently started capturing sign-in events in more detail. This means what used to be a single sign-in entry may now appear as multiple—one for password authentication, another for MFA, and potentially more depending on the authentication flow.

If you click on each entry in the sign-in logs, you should be able to see more details explaining why these additional logs are showing up. It’s not necessarily an issue, just a change in how authentication events are recorded.
Doug Greene 25 Reputation points

2025-02-28T12:21:54.02+00:00

Thank you! Well done.
SrideviM 5,715 Reputation points Microsoft External Staff Moderator

2025-02-28T15:05:33.03+00:00

Hi Doug Greene,

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

Accepted answer

0 additional answers

Your answer

Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator

2025-02-26T17:51:28.5666667+00:00

not seeing any attachment
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-02-26T18:54:07.0833333+00:00

Hello Doug Greene,

Thank you for posting your query on Microsoft Q&A.

Noninteractive authentication can only be used after an interactive authentication has taken place. During noninteractive authentication, the user does not input logon data, instead, previously established credentials are used.

If you share the screenshot of the non-interactive sign-ins showing in interactive sign-ins blade, it will be helpful for us to diagnose the issue.

You added it is intermittent. Is this happening to a single user or application
Doug Greene 25 Reputation points

2025-02-26T19:07:00.6+00:00

Screenshot 2025-02-26 114744.png

Sorry - missed on the attachment in first round.

Not intermittent. All the time for one user - me. Based on response here so far, it sucks to be me because there's no way to stop it. The fact that it never used to happen, now it does - implies a change on the Microsoft end. don'tcha just love a great explanation instead of a solution? :)

Thank you all for your replies.

D
Doug Greene 25 Reputation points

2025-02-26T19:23:00.3233333+00:00

Screenshot 2025-02-26 114744.png

Not intermittent. Shows all the time. On my account only. Which is a global admin. My issue is with the report itself - why did it start showing the extra stuff now (after at least a year)? All well and good if Microsoft, in its wisdom, made a change; but I thought i would ask anyway.

D
SrideviM 5,715 Reputation points Microsoft External Staff Moderator

2025-02-27T05:19:07.2633333+00:00

Hello Doug Greene,

I understand you're seeing non-interactive events in the interactive sign-in log, and I get how frustrating that can be—especially since it wasn’t happening before.

There are some special considerations in how Microsoft categorizes sign-ins in the logs. In the past, some non-interactive sign-ins, such as those from Exchange clients, were included in the interactive logs because there wasn’t a separate category for them. Even after Microsoft introduced a non-interactive sign-in log, certain types of sign-ins, including FIDO2 security keys, still appear in the interactive logs due to how the system was originally designed. These sign-ins might look interactive because they display browser details and credential type, even though they technically aren’t.

Since this started showing up for you recently, Microsoft likely made a change that now includes these events in the report. Unfortunately, sign-in logs are system-generated and can’t be changed or removed, so there’s no way to switch it back.

Microsoft has documented this behavior in their interactive sign-in logs article, explaining why some non-interactive events still show up in the interactive report. You can check it out here:

This seems to be more of a reporting adjustment rather than something affecting security. I know unexpected changes like this can be frustrating, but hope this helps clear things up!

Reference: Interactive user sign-in logs - Microsoft Entra ID

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
SrideviM 5,715 Reputation points Microsoft External Staff Moderator

2025-02-27T09:00:36.5733333+00:00

Hello Doug Greene,

Regarding excessive logs, Microsoft has recently started capturing sign-in events in more detail. This means what used to be a single sign-in entry may now appear as multiple—one for password authentication, another for MFA, and potentially more depending on the authentication flow.

If you click on each entry in the sign-in logs, you should be able to see more details explaining why these additional logs are showing up. It’s not necessarily an issue, just a change in how authentication events are recorded.
Doug Greene 25 Reputation points

2025-02-28T12:21:54.02+00:00

Thank you! Well done.
SrideviM 5,715 Reputation points Microsoft External Staff Moderator

2025-02-28T15:05:33.03+00:00

Hi Doug Greene,

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

Answer 1

Hello Doug Greene,

I understand you're seeing non-interactive events in the interactive sign-in log, and I get how frustrating that can be especially since this wasn’t happening before.

There are some special considerations in how Microsoft categorizes sign-ins:

Previously, certain non-interactive sign-ins (e.g., Exchange clients) were included in interactive logs because there wasn’t a separate category for them.
Even after Microsoft introduced a non-interactive sign-in log, some authentication methods, like FIDO2 security keys, still appear in interactive logs due to how the system processes them.
These sign-ins might seem interactive because they display browser details and credential type, even though they technically aren’t.

Since this started showing up for you recently, Microsoft likely made a change that now includes these events in the report. Unfortunately, sign-in logs are system-generated and can’t be changed or removed, so there’s no way to switch it back.

Microsoft has documented this behavior in their interactive sign-in logs article, explaining why some non-interactive events still show up in the interactive report. You can check that here:

enter image description here

This seems to be more of a reporting adjustment rather than something affecting security. I know unexpected changes like this can be frustrating but hope this helps clear things up!

Regarding Excessive logs:

Microsoft has recently started capturing sign-in events in more detail. What used to be a single sign-in entry may now appear as multiple—one for password authentication, another for MFA, and potentially more depending on the authentication flow. Clicking on each entry in the sign-in logs should provide more details on why these additional logs are showing up. It’s not necessarily an issue, just a change in how authentication events are recorded.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

User's image

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

SrideviM 5,715 Reputation points Microsoft External Staff Moderator

2025-02-28T15:09:34.2633333+00:00

Hello Doug Greene,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes, if you have any further query do let us know.

Share via

Started receiving excessive interactive sign-in events all of a sudden and need it to stop.

0 additional answers

Your answer