Share via

Excessive interactive sign-in events

LM-5132 170 Reputation points
2024-12-02T18:56:47.8633333+00:00

Hello,

I am curious why a certain user recently started having excessive "interactive" sign-in events. The non-interactive events are very few for the same user and time.

This user has 116 sign-in events for the same application (Office365 Shell WCSS-Client) from 11:16 am to 12:52 pm (1 hour and 36 minutes).

If a user selects "Always stay signed-in" will this reduce the number of sign-in events? This feature should not be enabled for security purposes.

Below is some info I gathered.

The Office365 Shell WCSS-Client is a backend component of Microsoft 365 that provides user interface (UI) elements and functionality for Microsoft 365 web applications. It's responsible for loading and managing the shell experience, including menus, navigation, and various UI components users interact with when using Microsoft 365 services like Outlook, Word Online, Excel Online, etc., in a browser.

Seeing over 100 sign-in events in a short time for the WCSS-Client in Microsoft Entra ID (formerly Azure AD) sign-in logs is not unusual and often relates to the following:

  1. Frequent Background Requests:
    • The WCSS-Client continuously makes API calls in the background to refresh tokens, synchronize data, and ensure the UI remains up to date.
    1. User Activity in Microsoft 365:
      • If the user is actively working in multiple browser tabs or applications, each session may initiate separate authentication requests, resulting in multiple logs.
      1. Browser Behavior:
        • Modern browsers often pre-fetch or refresh resources to improve user experience, which can generate additional sign-in events.

"Notice the 4 events for the same time, down to the second."

Is this normal?

If we retain logs for compliance, this will incur unnecessary costs from retaining repetitive logs?

Wouldn't API calls and refresh tokens be the non-interactive sign-in events?

Any suggestions on how to reduce unnecessary repetitive log events?

User's image

Thank you

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,784 questions
0 comments
Accepted answer
  1. Bandela Siri Chandana 1,875 Reputation points Microsoft External Staff
    2024-12-06T12:14:34.88+00:00

    Hi @LM-5132

    Thank you for posting your query on Microsoft Q&A.

    I understand that you are encountering excessive interactive sign-in events for the same application "Office365 Shell WCSS-Client".

    API calls and refresh tokens are the non-interactive sign-in events.

    Office 365 Shell WCSS-Client is the browser code that runs whenever a user navigates to (most) Office365 applications in the browser. The shell, also known as the suite header, is shared code that loads as part of almost all Office365 workloads, including SharePoint, OneDrive, Outlook, Yammer, and many more.

    A user navigating through different Office365 workloads can expect to see several different requests in the sign in logs. This is normal expected behaviour.

    Hope this helps. Do let us know if you have any further queries.

    If this answers your query, do click `Accept Answer` and `Yes`.

    Thanks,

    B. Siri Chandana.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.