In this module

EI1.2 Interactive vs Non-Interactive Sign-Ins

60-80 minutes · Module 1 · Free

Operational Objective

Your sign-in log query returns thousands of events for a single user in a 24-hour period. Most of them are non-interactive sign-ins — background token refreshes that happen automatically without the user's knowledge. If you do not understand the difference between interactive and non-interactive sign-ins, you will waste hours investigating routine background activity, miss the single interactive sign-in that represents the actual attack, and misinterpret volume patterns that are normal for non-interactive authentication.

Deliverable: The ability to distinguish interactive from non-interactive sign-ins, understand which generates which type of log entry, query each table independently, and know which sign-in type is relevant for which security question.

⏱ Estimated completion: 15 minutes

Why the distinction matters

When you query SigninLogs in KQL, you are querying only interactive sign-ins — the events where a user actively participated in the authentication process by entering credentials, completing MFA, or selecting an account. These are the sign-ins that represent a human decision to authenticate.

Non-interactive sign-ins — the background token refreshes, silent SSO events, and automated token exchanges that keep applications signed in — are recorded in a separate table: AADNonInteractiveUserSignInLogs. If you only query SigninLogs, you see the moments where users proved their identity. If you only query AADNonInteractiveUserSignInLogs, you see the ongoing session maintenance that keeps their access alive.

For identity security, both tables matter — but they answer different questions.

Interactive sign-ins (SigninLogs) answer: when did this user explicitly authenticate? What authentication method did they use? Did conditional access evaluate the sign-in? Was MFA required and completed? These are the events that represent a new authentication decision — the moments when Entra ID evaluated all signals and made an access determination.

Non-interactive sign-ins (AADNonInteractiveUserSignInLogs) answer: is this user's session still active? What applications are they accessing in the background? Is token refresh happening from the expected device and IP? These are the events that represent ongoing access — the automated processes that keep the user signed in to Teams, Outlook, OneDrive, and other applications that refresh their tokens silently.

The volume difference is dramatic. A typical user generates one to five interactive sign-ins per day (when they sign in to their device in the morning, when they open a new application, when they return from a session timeout). The same user generates dozens to hundreds of non-interactive sign-ins per day as their applications refresh tokens in the background. If you query both tables without filtering, the non-interactive volume overwhelms the interactive events.

How interactive authentication works

An interactive sign-in occurs when the user is directly involved in the authentication process. The browser or application redirects the user to the Entra ID sign-in page, the user provides credentials (password, passkey, or another method), MFA is presented if required, and the user completes the challenge. The full conditional access evaluation occurs during this interactive sign-in — all policies are evaluated, all signals are assessed, and the access decision is made.

Interactive sign-ins are the security-critical events for several reasons. They are the moment where the attacker's stolen credentials are used for the first time. They are the moment where conditional access can block a suspicious sign-in. They are the moment where Identity Protection evaluates the sign-in context and assigns a risk level. If you are looking for evidence of initial access (Stage 2 of the identity kill chain from EI0.6), you are looking in the interactive sign-in logs.

Common triggers for interactive sign-ins: the user opens a browser and navigates to portal.office.com for the first time that day, the user's session has expired and the application prompts for re-authentication, a conditional access policy requires sign-in frequency and the configured interval has passed, the user opens a new application for the first time, or the user's risk level changed and a risk-based policy forces re-authentication.

How non-interactive authentication works

A non-interactive sign-in occurs when an application automatically refreshes its tokens without user involvement. The most common non-interactive sign-in is a refresh token exchange — the application's existing refresh token is sent to Entra ID, and Entra ID returns a new access token (and optionally a new refresh token) without presenting any UI to the user.

Non-interactive sign-ins are important for security monitoring because they reveal the ongoing pattern of access. An attacker who stole a refresh token and is replaying it generates non-interactive sign-ins from the attacker's IP address. If the user is simultaneously generating non-interactive sign-ins from their legitimate device, you see two concurrent streams of non-interactive activity for the same user from different IP addresses — a strong indicator of token theft.

The challenge is that non-interactive sign-ins do not always trigger conditional access evaluation in the same way interactive sign-ins do. Some conditional access session controls (like sign-in frequency) apply to non-interactive token refreshes, but the full policy evaluation that occurs during an interactive sign-in may not be repeated during every token refresh. This is why Continuous Access Evaluation (CAE) exists — it extends the enforcement window beyond the interactive sign-in to include ongoing access (covered in EI7).

// EI1.2 — Compare interactive vs non-interactive volume for a user
// Shows the typical ratio: 1 interactive event to 50+ non-interactive
let targetUser = "admin@yourdomain.onmicrosoft.com";  // Replace with your admin UPN
let timeRange = 24h;
union 
    (SigninLogs 
    | where TimeGenerated > ago(timeRange) 
    | where UserPrincipalName == targetUser 
    | summarize InteractiveCount = count() by bin(TimeGenerated, 1h)
    | extend LogType = "Interactive"),
    (AADNonInteractiveUserSignInLogs 
    | where TimeGenerated > ago(timeRange) 
    | where UserPrincipalName == targetUser 
    | summarize NonInteractiveCount = count() by bin(TimeGenerated, 1h)
    | extend LogType = "Non-Interactive")
| order by TimeGenerated asc
// Expected: Non-interactive count is 10-100x higher per hour than interactive
// This is normal — it represents background token refreshes

When to query which table

For different security questions, you need different tables:

"Was this user's account used to authenticate today?" — query SigninLogs for interactive events. This tells you whether someone actively signed in as this user.

"Is a stolen token being replayed right now?" — query AADNonInteractiveUserSignInLogs. Token replay generates non-interactive events because the attacker is using the stolen token without re-authenticating. Look for non-interactive sign-ins from an IP address that differs from the user's recent interactive sign-in IP.

"What applications is this user accessing?" — query both tables. The interactive log shows which applications the user explicitly opened. The non-interactive log shows which applications are refreshing tokens in the background — a broader view of the user's access footprint.

"Did conditional access block a sign-in attempt?" — query SigninLogs with ResultType 53003 or ConditionalAccessStatus == "failure". Conditional access blocking is recorded in the interactive log because the block occurs during the initial authentication attempt.

"Is legacy authentication being used?" — query both tables with ClientAppUsed filters for "IMAP," "POP3," "SMTP," "Exchange ActiveSync," and "Other clients." Legacy protocols can appear in either table depending on the protocol and client behavior.

"How many sign-in events does this user generate per day?" — query both tables. If you only query SigninLogs, you drastically undercount. If you need a realistic volume assessment (for log ingestion cost planning or for establishing a baseline), you need the full picture from both tables.

// EI1.2 — Detect potential token replay: different IPs in interactive vs non-interactive
// for the same user within a short time window
let timeRange = 1h;
let interactiveIPs = SigninLogs
| where TimeGenerated > ago(timeRange)
| where ResultType == 0
| distinct UserPrincipalName, IPAddress;
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(timeRange)
| where ResultType == 0
| join kind=inner interactiveIPs on UserPrincipalName
| where IPAddress != IPAddress1  // Non-interactive IP differs from interactive IP
| summarize 
    NonInteractiveIP = any(IPAddress),
    InteractiveIP = any(IPAddress1),
    EventCount = count()
    by UserPrincipalName
| where EventCount > 5  // At least 5 non-interactive events from the different IP
// Results: users with concurrent sessions from different IPs — potential token theft
// Validate: is the non-interactive IP a known VPN, proxy, or Microsoft IP?

This query is a practical token replay detection pattern. The logic: if a user interactively signed in from IP-A and simultaneously has non-interactive token refreshes from IP-B, someone else may be using a stolen token from IP-B. This pattern has false positives (VPNs, mobile network switching, Microsoft service IPs), but it is a strong starting point that EI13 refines into a production detection rule.

Try it yourself

Try It — Compare Your Interactive and Non-Interactive Logs

Environment: Your M365 developer tenant with Sentinel workspace.

Exercise: Run the volume comparison query from above (replacing the UPN with your admin account). Answer these questions:

1. How many interactive sign-ins did your admin account generate in the last 24 hours? 2. How many non-interactive sign-ins? 3. What is the ratio? (Non-interactive should be 10x-100x higher) 4. Are there any hours where interactive events are zero but non-interactive events are present? (This is normal — it means your session was active but you were not re-authenticating)

Now try querying AADNonInteractiveUserSignInLogs directly. Run AADNonInteractiveUserSignInLogs | where TimeGenerated > ago(24h) | take 20 | project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress, ResultType. Look at the AppDisplayName values — you will see applications refreshing tokens that you never explicitly opened. This is normal SSO behavior.

⚠ Compliance Myth: "We monitor the sign-in logs so we would see a token replay attack"

The myth: We have sign-in log monitoring. If an attacker replays a stolen token, we will see the sign-in from an unusual location and investigate.

The reality: If your monitoring only covers SigninLogs (interactive), you will miss token replay entirely. Token replay does not require a new interactive sign-in — the attacker uses the existing stolen token to make API calls or refresh the token silently. These events appear only in AADNonInteractiveUserSignInLogs. If your detection rules do not query both tables, a token replay attack is invisible to your monitoring. EI13 builds detection rules that query both tables and correlate the results.

📋 Investigation Artifact — Sign-In Log Table Reference

Quick reference for which table to query for which security question:

Entra ID Sign-In Log Tables

SigninLogs — Interactive user sign-ins

- User actively participates in authentication

- Full conditional access evaluation

- Risk assessment performed

- Use for: initial access detection, policy verification, authentication method analysis

AADNonInteractiveUserSignInLogs — Non-interactive user sign-ins

- Background token refresh, silent SSO

- Limited CA re-evaluation (CAE extends this)

- Use for: session monitoring, token replay detection, access pattern analysis

AADServicePrincipalSignInLogs — Service principal sign-ins

- Application/service credentials (client secret, certificate, managed identity)

- No user context

- Use for: workload identity monitoring (EI1.3)

AADManagedIdentitySignInLogs — Managed identity sign-ins

- Azure-managed credentials for workloads

- No extractable credentials

- Use for: workload identity monitoring (EI1.3)

Querying both tables:

Use union SigninLogs, AADNonInteractiveUserSignInLogs when you need the complete picture for a user. Filter by UserPrincipalName after the union to scope to a specific account.

Compliance mapping: Comprehensive log monitoring supports SOC 2 CC7.2 (Monitoring Activities), ISO 27001 A.12.4.1 (Event Logging), and NIST CSF DE.CM-3 (Personnel Activity Monitoring).

Decision point

A sign-in log shows a successful authentication from an IP in a country where NE has no employees. MFA was satisfied by push notification. The user says they approved the MFA prompt while traveling. Do you accept this explanation?

Verify, do not accept at face value. Check: does the user have a travel request on file? Does the IP geo-location match the claimed travel destination? Does the device fingerprint match the user's enrolled device? Are there other sign-ins from NE's corporate IP in the same time window (which would indicate the user is NOT traveling)? An attacker who stole credentials and is bombarding the user with MFA prompts (MFA fatigue) gets the same 'I approved it' response from a confused user. The investigation confirms or refutes the travel explanation within 5 minutes.

A sign-in log shows: ResultType 0 (success), MfaDetail 'satisfied by claim', ConditionalAccessStatus 'success', IPAddress from a residential proxy in Nigeria. The user's normal sign-in pattern is UK corporate IPs only. What is the most likely explanation?

The user is traveling to Nigeria for business.

AiTM session token theft. The combination of MFA-by-claim (not interactive MFA challenge), residential proxy IP (not corporate), and successful CA evaluation (the token contains the MFA assertion) is the AiTM signature. The attacker captured the session token via an AiTM proxy, which includes the MFA claim. The token is then replayed from the attacker's infrastructure. Action: immediate session revocation, MFA method audit, and CA policy assessment (why did the compliant device policy not block this?).

The user's VPN is routing through a Nigerian exit node.

Identity Protection would have blocked this if it were truly malicious.

Expand for Deeper Context

The identity security concept demonstrated here connects directly to NE's operational experience. The Entra ID configuration decisions — which authentication methods to deploy, how to scope CA policies, when to require PIM activation, how to manage application consent — are not theoretical choices. Each decision was tested by real attacks (INC-NE-2026-0227-001 AiTM campaign, INC-NE-2026-0315-002 BEC), validated in tabletop exercises, and refined through the quarterly maturity review. The configuration that exists today is the product of iterative improvement driven by production evidence.

You've mapped the identity threat landscape and learned to read sign-in logs.

EI0 established that every cloud attack starts with identity. EI1 took you through the signal that matters most — interactive, non-interactive, service principal, and managed identity sign-ins. Now you engineer the defences.

17 engineering modules — authentication methods, conditional access architecture, Identity Protection, PIM, token protection, application governance, and detection rules
The Defense Design Method — the six-step framework applied to every identity control you'll build
EI18 Capstone — Identity Security Architecture Design — design complete identity architectures for three realistic organisations (SMB, mid-market, regulated enterprise)
Identity Security Toolkit lab pack — deployable conditional access policies, PIM configurations, and Identity Protection risk rules
Cross-domain detection (EI16) — email-to-identity correlation and the full phishing-to-inbox-rule attack chain

Unlock the full course with Premium See Full Syllabus

← Previous Next →