Azure Non Interactive Sign in logs

Question

Regarding the Non Interactive Sign In Logs, can someone explain why the aggregate date/time of the group is always a date/time that is somehow prior to all events noted when the group is expanded?

Answer 1

Hi @MavridesChristopher-4078

Thank you for contacting Q&A Forum. To answer your question, the reason why the aggregate date/time shown in the Non-Interactive Sign-In Logs appears to be earlier than the individual events when expanded is due to how Microsoft Entra ID aggregates non-interactive sign-ins for readability and performance.

_ Non-interactive sign-ins (like token refreshes or background app authentications) often occur frequently and with identical metadata (same user, app, IP, resource, etc.).

• To reduce noise, Microsoft groups these sign-ins into a single row in the log view.
• The timestamp shown for the group is the earliest timestamp in that aggregation window (e.g., 1 hour, 6 hours, or 24 hours).
• When you expand the group, you see the individual sign-ins, each with their actual timestamps, which are often later than the group’s timestamp.

You can’t customize or configure the aggregation timestamps in the Entra portal. For more granular control, you can export logs to Azure Monitor, Log Analytics, or Microsoft Sentinel.

For official documentation, please visit this link: https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-noninteractive-sign-ins#how-does-it-work.

Kindly let me know if you have any further question or anything that I can clarify.

If I have answered your question, please accept this as answer as a token of appreciation and don't forget to give a thumbs up for "Was it helpful"!

Best regards,

Megan.

Answer 2

Hello @MavridesChristopher-4078
I Hope the suggestion provided by @Vasil Michev is helpful.
The aggregate date/time of the group in Azure Non-Interactive Sign-In Logs may appear to be prior to all events noted when the group is expanded due to the way non-interactive sign-ins are logged and aggregated. Non-interactive sign-ins can trigger a large volume of events within a short time frame, and they are grouped together in the logs.

Each of these grouped rows can be expanded to view the exact timestamps of the individual sign-ins, which may vary. The aggregation is based on shared characteristics such as application, user, IP address, status, and resource ID, with the only differing factor being the date and time of the sign-in attempts.

for additional information you can follow: What are non-interactive user sign-ins in Microsoft Entra?

Do let us know if you have any Queries. We are happy to assist you further.

Answer 3

The aggregate date/time is just a "label", dependent on the filters you selected. You can think of it as the start date of the period, reflecting your time zone. Basically, a grouping of all events (per app per user) for a given day which serves as an indicator of any activity. If you see the entry, you know that there has been at least one sign-in attempt for the given user/app combo for this day, and you can expand the group to get the actual details.