Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,342 questions
High Volume of Entra ID Sign-In Errors (Code 70043) Triggering MS Sentinel Alerts
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 33%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
Tilman Schmidt
100
Reputation points
I'm monitoring a tenant with about 2000 users with E5 licenses using Microsoft Sentinel with the Microsoft Entra ID solution from Content Hub. In the "Summary of top errors" section of the Microsoft Entra ID Sign-in logs workbook, the top entry is always:
Error Code: 70043
Reason: Other
Category: NonInteractiveSignInLogs
with an error count of about 250.000 for the default time range of 14 days. This outdistances all other entries by at least a factor of 10.
At the same time, the analytics rule "Attempt to bypass conditional access rule in Microsoft Entra ID" produces a steady stream of alerts, most of them triggered by sign-in events with result code 70043.
The sign-in error decoder at https://login.microsoftonline.com/error?code=70043 tells me the message associated with that code isn't "Other" after all, but:
"The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on {issueDate} and the maximum allowed lifetime for this request is {time}."
(The {issueDate} and {time} information seems to be unavailable in MS Sentinel.)
This looks to me like a normal event and not a failure or attempt to bypass at all.
Questions:
- Is it normal to see such a big number of 70043 errors?
- If so, how can I tell Sentinel to shut up about it?
- If not, what may be the problem and how would I go about to fix it?
Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 55.00000000000001%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Sanoop M 2,810 Reputation points Microsoft External Staff2025-03-21T22:00:28.5166667+00:00 Hello @Tilman Schmidt,
Based on your description, I understand that you are getting alerts in Microsoft Sentinel regarding High Volume of Entra ID Sign-In Errors with Error Code 70043.
Please note that the Category is shown as NonInteractiveSignInLogs.
What is a non-interactive user sign-in?
Non-interactive sign-ins are done on behalf of a user. These delegated sign-ins were performed by a client app or OS components on behalf of a user and don't require the user to provide an authentication factor. Instead, Microsoft Entra ID recognizes when the user's token needs to be refreshed and does so behind the scenes, without interrupting the user's session. In general, the user perceives these sign-ins as happening in the background.
Log details
The following examples show the type of information captured in the non-interactive user sign-in logs:
- A client app uses an OAuth 2.0 refresh token to get an access token.
- A client uses an OAuth 2.0 authorization code to get an access token and refresh token.
- A user performs single sign-on (SSO) to a web or Windows app on a Microsoft Entra joined PC (without providing an authentication factor or interacting with a Microsoft Entra prompt).
- A user signs in to a second Microsoft Office app while they have a session on a mobile device using FOCI (Family of Client IDs).
In addition to the default fields, the non-interactive sign-in log also shows:
- Resource ID
- Number of grouped sign-ins
You can't customize the fields shown in this report.
Since it is related to Non interactive sign in logs, it is an expected behavior that you are seeing the high volume of Entra ID Sign in errors.
So it is safe to remove those alerts from Microsoft Sentinel.
For additional details, please refer to the below documents for your reference.
Non-interactive sign-in logs - Microsoft Entra ID | Microsoft Learn
Relate alerts to incidents in Microsoft Sentinel in the Azure portal | Microsoft Learn
I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.
-
Sanoop M 2,810 Reputation points Microsoft External Staff
2025-03-24T22:33:24.8+00:00 Hello @Tilman Schmidt,
I am following up to see if the above answer was helpful. If this answers your query, do click
Accept AnswerandYesfor was this answer helpful. And, if you have any further query please do let us know. -
Tilman Schmidt 100 Reputation points
2025-03-25T09:15:02.6533333+00:00 Hello @Sanoop M ,
please forgive me for taking so long to reply. I am still trying to understand your answer and my options in this situation.
You wrote: "it is safe to remove those alerts from Microsoft Sentinel." Could you elaborate on that? How would I proceed in order to achieve that? Is there a configuration option for that? Is it the fault of the "Attempt to bypass conditional access rule in Microsoft Entra ID" analytics rule which generates them? Should I fix that rule, or just deactivate it completely because it produces too many false positives?
Similar question for the "Microsoft Entra ID Sign-in logs" workbook. Can I fix it so that it doesn't report non-interactive sign-in events with result code 70043 as errors? Or do I just have to live with them permanently occupying the pole position of "top errors", in red? Is there a better alternative?
Thanks a lot for your assistance,
Tilman -
Sanoop M 2,810 Reputation points Microsoft External Staff
2025-03-25T20:53:02.72+00:00 Hello @Tilman Schmidt,
Thank you for your response.
Please send us an email on 'azcommunity@microsoft.com' with Sub - "ATTN: sanoopm" and following details in the email body: Link to this thread/post.
We can connect offline and discuss further on this issue.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 77%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Rukmini 1,441 Reputation points Microsoft External Staff2025-04-03T09:41:01.9533333+00:00 Hello @Tilman Schmidt,
Apologies for the delayed response. Based on my findings regarding the issue, you can customize the workbook as per your requirements by leveraging a KQL query for customization.
However, we need to identify the root cause of the 70043 error. I have seen a similar case internally where this error was resolved by adjusting Conditional Access policy settings. The recommended approach depends on the specific environment.
To investigate this further, a support ticket may be required. If you have a support plan, I recommend opening a support ticket. Otherwise, please share the subscription ID via private message so we can enable one-time support, allowing you to collaborate with our support team for further investigation.
Let me know if you have any questions—feel free to reach out
-
Rukmini 1,441 Reputation points Microsoft External Staff
2025-04-04T03:24:03.33+00:00 @Tilman Schmidt, We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
-
Tilman Schmidt 100 Reputation points
2025-04-04T08:40:54.21+00:00 @rukmini I'm sorry I'm unable to respond as quickly as you apparently expect. I need a bit of time to digest your reply and look at the workbook to see whether I feel able to customize it on my own. Also, I have a few other duties so I can't guarantee to always reply on the same day. Is that a problem?
-
Rukmini 1,441 Reputation points Microsoft External Staff
2025-04-04T12:38:46.04+00:00 @Tilman Schmidt, No problem you can try to customize the workbook and Let me know if you have any issues—feel free to reach out
-
Tilman Schmidt 100 Reputation points
2025-04-09T09:51:02.9733333+00:00 (deleted)
-
Rukmini 1,441 Reputation points Microsoft External Staff
2025-04-09T09:58:47.6333333+00:00 Hello @Tilman Schmidt,
To investigate this further, a support ticket may be required. If you have a support plan, I recommend opening a support ticket. Otherwise, please share the subscription ID via private message so we can enable one-time support, allowing you to collaborate with our support team for further investigation.
-
Rukmini 1,441 Reputation points Microsoft External Staff
2025-04-14T11:57:29.84+00:00 @Tilman Schmidt, As the issue needs detailed troubleshooting, we have engaged our support team via support ticket where they will be assisting you further on this. Feel free to share the resolution here once the issue is resolved so that it helps the community members looking for similar issue.
Sign in to comment
Sign in to answer