Application credential sign-in activity is not reliable

Question

Greetings Microsoft support team,

Additional details on the tenant:

I am currently going through the Entra sign-in logs in my tenant, and other tenants (using a consented multi-tenant application) to understand the usage of different credentials such as:

1. Client secrets
2. Client certificates

Using the following API for the purpose:
GET https://graph.microsoft.com/beta/reports/appCredentialSignInActivities

https://learn.microsoft.com/en-us/graph/api/resources/appcredentialsigninactivity

While using this API, I faced a couple of issues, if possible can I please get your help in resolving them:

Case 1: Unable to get the lastSignInRequestId in some cases

TenantId: cf34e223-1a50-4102-81c1-25badcc59575
ApplicationId: 4927164b-4944-4325-b8fc-1d1de148d26a
License: Entra ID P2

In some cases, the lastSignInRequestId is set to the value "aggregated", instead of showing the last sign-in requestId. This field is important to me because I want to extract more information related to the sign-in using the exact sign-in log matching the requestId. This would help me understand how the credential was used, what library was used, the IP address associated with the request, etc. by using the sign-in log ( SignIn logs )

Example image:

A followup question on this, when I refresh the graph response using the graph explorer, sometimes when I try to refresh the response, the same object (with the same id) comes up with the exact lastSignInRequestId

Case 2 : Delays in getting the appCredentialSignInActivity for some applications

TenantId: cf34e223-1a50-4102-81c1-25badcc59575
ApplicationId: 4927164b-4944-4325-b8fc-1d1de148d26a
License: Entra ID P2

I am currently using two applications in my tenant
The applications are:

Application one:

Name: Test confidential client application
AppId: 4927164b-4944-4325-b8fc-1d1de148d26a
TenantId: cf34e223-1a50-4102-81c1-25badcc59575

Application two:
Name: UI Confidential Client App
AppId: 479d1038-dc0e-4e2d-ad51-d58a43fe98d6
TenantId: cf34e223-1a50-4102-81c1-25badcc59575

Both the applications have had credential activities from 7th May 2025
Earliest sign-in activity for application one using client secret ( serviceprincipal sign-in):
5/6/2025 6:47:10 AM

Earliest sign-in activity for application two using client secret ( non-interactive sign-in) :
5/7/2025 7:24:57 AM

Both the applications have used app credentials (client secrets) to access data using graph, and as of writing this, the appCredentialSignInActivity for application two is not present in the graph response
That could mean that the delay in getting the credential sign in activity could be more than 2-3 days

If possible can I please know what would be approximate latency of this API, in producing the appCredentialSignInActivity for an application

Case 3: Definitions of the fields in SignInActivity

The signInActivity for the application's credential is represented using the SignInActivity response type ( SignInActivity ), which has the following fields:

lastNonInteractiveSignInDateTime
lastNonInteractiveSignInRequestId
lastSignInDateTime
lastSignInRequestId
lastSuccessfulSignInDateTime
lastSuccessfulSignInRequestId

But from the API response, I can always see that only the lastSignInDateTime and lastSignInRequestId are populated. From checking the requestIds in sign-in logs, I can see that for both:
signInEventTypes = nonInteractiveUser
signInEventTypes = servicePrincipal
The same field is populated (lastSignInRequestId)

But by definition, the lastNonInteractiveSignInRequestId should be populated for nonInteractiveUser signins, and lastSignInRequestId should be populated for servicePrincipal signins

If possible can I please know the expected behavior here, and the fields we must use

Case 4 : Absence of data, could this be associated with licensing:

I have another test tenant, which has the Entra Free license

In this case, I don't see the appCredentialSignInActivity getting updated properly, and we have a very active application in this tenant

Yet, there are no appCredentialSignInActivities associated with this application
AppId: 1ea734c0-3cf1-40e3-b2c5-aa37713e2479
TenantId: 8a564d2d-045f-4ae1-82e4-6b819d5dc70e

If possible can I please know:

1. Are there licensing requirements for accessing this API
2. Does this API require any additional roles / setup instructions apart from Graph permissions Thank you a lot in advance!

Answer 1

Hello Ajay Neethikannan,

Thank you for posting your query in Microsoft Q&A.

As you are testing few scenarios to understand the user of different credentials such as Client Secrets and Client Certificates.

Case 1:

In some cases, the lastSignInRequestId is set to the value "aggregated", instead of showing the last sign-in requestId.

Last signIn request Id is showing as "aggregated" instead of showing the Id.

It might happen when you search for non-interactive sign-ins.

On this I request you to download the sign-in logs, the data won't be aggregated and will show the Date/Time (UTC) entries individually.

To make it easier to digest the data, non-interactive sign-in events are grouped. Clients often create many non-interactive sign-ins on behalf of the same user in a short time period. The non-interactive sign-ins share the same characteristics except for the time the sign-in was attempted. For example, a client may get an access token once per hour on behalf of a user. If the state of the user or client doesn't change, the IP address, resource, and all other information is the same for each access token request. The only state that does change is the date and time of the sign-in. When Azure AD logs multiple sign-ins that are identical other than time and date, those sign-ins are from the same entity and are aggregated into a single row. A row with multiple identical sign-ins (except for date and time issued) have a value greater than 1 in the # sign-ins column. These aggregated sign-ins may also appear to have the same time stamps. The Time aggregate filter can set to 1 hour, 6 hours, or 24 hours. You can expand the row to see all the different sign-ins and their different time stamps.

I suggest you refer the below document.

https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-noninteractive-sign-ins

Disabling the data aggregation within the Sign-in logs isn't possible, I suggest you provide your feedback so that our engineering team can look into this as a feature request

Case 2:

Delays in getting the appCredentialSignInActivity for some applications.

Two applications using App Credential (Client Secret) to get data using MS Graph. For Application one we see interactive sign-in and for Application two it is non-interactive sign-in.

Here we are not able to see all non-interactive sign-ins. A Non-interactive sign-in can only be used after a successful interactive sign-in happens. During noninteractive authentication, the user does not input logon data, instead, previously established credentials are used.

Non-interactive sign-in events are grouped. Clients often create many non-interactive sign-ins on behalf of the same user in a short time period.

If you observe in the second screenshot in non-interactive sign-in logs, it shows he sign-in logs as graph is accessing two different resources, but not on a single resource.

Case 3:

Sign-in activity for application credential is represented using the SignInActivity, but the API response is showing only the lastSignInDateTime and lastSignInRequestId.

Again, Sign-ins are aggregated in the non-interactive users when the following data matches:

Application

User

IP address

Status

Resource ID

I suggest you refer the below document.

https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-noninteractive-sign-ins#how-does-it-work

Case 4 :

Absence of data, could this be associated with licensing.

As you mentioned there are no appCredentialSignInActivities associated with this application and is on free tenant, you might not see the api activity in that tenant.

I suggest referring below documentation for graph permissions on a multi-tenant application

https://learn.microsoft.com/en-us/entra/identity-platform/v2-admin-consent

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal

Please let me know if you have further queries on this.