Non-Interactive Sign-in Logs by Past Employee with Disabled Account.

Question

We have a former employee whose account is disabled, but I still observe non-interactive sign-in logs occurring in groups of 12 or 13, with more appearing if the aggregate logs are expanded. There are no interactive sign-in attempts. The former employee's account is still in the directory because they may work for us again in the future. The account has no active license, is not assigned any roles or applications, does not belong to any groups, and is disabled.

The applications generating failed sign-in attempts are Microsoft Office, Microsoft Application Command Service, Universal Store Native Client, FXIrisClient, and OneDrive SyncEngine.

Non-interactive sign-ins are conducted on behalf of a user. These delegated sign-ins are performed by a client app or OS components on behalf of a user and do not require the user to provide an authentication factor. Instead, Microsoft Entra ID recognizes when the user's token needs to be refreshed and does so behind the scenes, without interrupting the user's session. In general, the user perceives these sign-ins as occurring in the background.

Why am I seeing these failed sign-in attempts and how can I stop them?

Attached is a screenshot of the failed attempts.

Thank you

Answer 1

Many applications, such as the ones you listed above, cache the refresh token and use it to keep the user signed in by continuously renewing the access token. For this reason, once you disable a user you should revoke all refresh tokens by hitting the corresponding button in the portal or using any of the other methods detailed here: https://learn.microsoft.com/en-us/entra/identity/users/users-revoke-access#microsoft-entra-environment