Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
538 questions
Thank you for following up on this and I apologize for the delayed response!
From your screenshot and within my own Azure AD tenant, I do see that the non-interactive user sign-ins are aggregated together, and you can only see the actual login times when you expand the Date/Time entries.
Findings:
When looking more into your issue, I noticed that the Sign-in logs in Azure Active Directory (preview) documentation, specifically the Non-interactive user sign-ins section, mentions that you can't customize the fields shown in this report as shared by @Andy David - MVP .
However, to hopefully help point you in the right direction I noticed that if you download the sign-in logs, the data won't be aggregated and will show the Date/Time (UTC) entries individually.
Note: The downloaded data shows UTC time even if the filter is set to show dates as Local.
Non-interactive user sign-ins:
To make it easier to digest the data, non-interactive sign-in events are grouped. Clients often create many non-interactive sign-ins on behalf of the same user in a short time period. The non-interactive sign-ins share the same characteristics except for the time the sign-in was attempted. For example, a client may get an access token once per hour on behalf of a user. If the state of the user or client doesn't change, the IP address, resource, and all other information is the same for each access token request. The only state that does change is the date and time of the sign-in. When Azure AD logs multiple sign-ins that are identical other than time and date, those sign-ins are from the same entity and are aggregated into a single row. A row with multiple identical sign-ins (except for date and time issued) have a value greater than 1 in the # sign-ins column. These aggregated sign-ins may also appear to have the same time stamps. The Time aggregate filter can set to 1 hour, 6 hours, or 24 hours. You can expand the row to see all the different sign-ins and their different time stamps.
Because disabling the data aggregation within the Sign-in logs isn't possible, I'd recommend leveraging our User Voice forum and creating a feature request, so our engineering team can look into implementing this. I've also created an internal feature request, so our engineering team is aware of this as well.
I hope this helps!
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
