Started receiving excessive interactive sign-in events all of a sudden and need it to stop.

Doug Greene 25 Reputation points
2025-02-26T17:49:38.0766667+00:00

I understand about refresh tokens and all; but these are non-interactive events showing up on the interactive portion of the sign-in log. It was not always this way - only started a week or so ago. Looking for a setting perhaps to revert to the original scenario. See attachment.

Thank you.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

Accepted answer
  1. SrideviM 5,710 Reputation points Microsoft External Staff Moderator
    2025-02-27T15:21:06.2333333+00:00

    Hello Doug Greene,

    I understand you're seeing non-interactive events in the interactive sign-in log, and I get how frustrating that can be especially since this wasn’t happening before.

    There are some special considerations in how Microsoft categorizes sign-ins:

    • Previously, certain non-interactive sign-ins (e.g., Exchange clients) were included in interactive logs because there wasn’t a separate category for them.
    • Even after Microsoft introduced a non-interactive sign-in log, some authentication methods, like FIDO2 security keys, still appear in interactive logs due to how the system processes them.
    • These sign-ins might seem interactive because they display browser details and credential type, even though they technically aren’t.

    Since this started showing up for you recently, Microsoft likely made a change that now includes these events in the report. Unfortunately, sign-in logs are system-generated and can’t be changed or removed, so there’s no way to switch it back.

    Microsoft has documented this behavior in their interactive sign-in logs article, explaining why some non-interactive events still show up in the interactive report. You can check that here:

    enter image description here

    This seems to be more of a reporting adjustment rather than something affecting security. I know unexpected changes like this can be frustrating but hope this helps clear things up!

    Regarding Excessive logs:

    Microsoft has recently started capturing sign-in events in more detail. What used to be a single sign-in entry may now appear as multiple—one for password authentication, another for MFA, and potentially more depending on the authentication flow. Clicking on each entry in the sign-in logs should provide more details on why these additional logs are showing up. It’s not necessarily an issue, just a change in how authentication events are recorded.


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    User's image

    If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.