🎉 Our Microsoft 365 Reporting & Management Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Microsoft Entra ID

How to Track Non-Interactive User Sign-Ins in Microsoft Entra ID

In Microsoft Entra ID, non-interactive user sign-ins allow apps and services to authenticate automatically without direct user interaction. Tracking these sign-ins helps to detect token-based silent authentication, identify suspicious activity, and streamline troubleshooting efforts. This guide walks you through how to monitor non-interactive user sign-in logs and safeguard your Microsoft 365 environment.

Solution 1
Solution 2
Solution 3
Solution 4
Important Tips
Errors and Resolution Steps
FAQs

Audit Non-Interactive User Sign-Ins Using Microsoft Entra Admin Center

Microsoft 365 Permission Required
Security Reader Least Privilege
Global Admin Most Privilege
  • Sign in to the Microsoft Entra admin center and navigate to Entra ID»Monitoring & health»Sign-in logs»User sign-ins (non-interactive).
  • Here, you can view non-interactive user sign-in events grouped based on the resource they accessed. Select a row to see all activities performed by that user at a specific time.
  • By default, this report shows sign-ins from the last 24 hours. You can use the Date range filter to display data up to the last 30 days.
  • Each log includes details such as the username, application used, sign-in status, IP address, accessed resource details, and more.
Audit Non-Interactive User Sign-Ins Using Microsoft Entra Admin Center

Note: When multiple request IDs are associated with a single non-interactive sign-in to a resource, the request ID is shown as 'aggregate' to represent the combined activity.


Track Non-Interactive User Sign-In Logs Using Powershell

Microsoft Graph API Permissions Required
AuditLog.Read.All Least Privilege
Directory.ReadWrite.All Most Privilege
  • Connect to the Microsoft Graph PowerShell using the cmdlet below.
  • Windows PowerShell Windows PowerShell 
     Connect-MgGraph -Scopes AuditLog.Read.All
  • Use the following PowerShell snippet to retrieve non-interactive user sign-in logs from Microsoft Entra ID.
  • Windows PowerShell Windows PowerShell 
     Get-MgBetaAuditLogSignIn -All -Filter "signInEventTypes/any(t: t eq 'nonInteractiveUser')" |
Select-Object CreatedDateTime, Id, UserPrincipalName, AppDisplayName, IPAddress, ResourceDisplayName, ResourceId, UniqueTokenIdentifier, TokenIssuerName |
Format-Table -AutoSize
  • The above execution will retrieve all the non-interactive user sign-ins within the last 30 days. The output includes key details like sign-in time, request ID, user principal name, application name, IP address, resource ID, and resource name.
Track Non-Interactive User Sign-In Logs Using Powershell

Note: Before running the above cmdlet, make sure the Microsoft.Graph.Beta module is installed in your machine.

Export Non-Interactive User Sign-Ins Report Using PowerShell Script

Microsoft Graph Permissions Required
AuditLog.Read.All, Directory.Read.All, Policy.Read.ConditionalAccess Least Privilege
AuditLog.Read.All, Directory.ReadWrite.All, Policy.ReadWrite.ConditionalAccess Most Privilege
  • While the above PowerShell cmdlet retrieves non-interactive user sign-ins easily, it provides only the basic details.
  • So, we have developed a PowerShell script that provides detailed non-interactive user sign-in information and exports them as a CSV report locally on your machine.
  • The report includes key user attributes such as username, UPN, sign-in status, IP address, location, device name, browser, operating system, user type, authentication type, risk detail, risk status, and Conditional Access details.
  • To use it, download and run the script below with the -NonInteractiveOnly parameter.
  • Windows PowerShell Windows PowerShell 
     .\GetEntraSigninLogs.ps1 -NonInteractiveOnly
Export Non-Interactive User Sign-Ins Report Using PowerShell Script
GetEntraSigninLogs.ps1
AdminDroid Entra ID Reporting

Track Non-Interactive User Sign-Ins to Strengthen Token-Based Access in Microsoft Entra ID!

AdminDroid’s Entra ID reporting tool delivers comprehensive visibility into non-interactive user sign-ins through enriched reports and intuitive dashboards. Explore its additional capabilities to track non-interactive authentications and keep a close watch on your Entra ID security.

Monitor Unsuccessful Sign-In Attempts in Microsoft 365

Track all failed sign-ins attempts in Microsoft 365 for both non-interactive and interactive scenarios to identify authentication failures, troubleshoot issues, and maintain reliable access.

Track Entra ID Service Principal Sign-In Logs

View service principal sign-in logs to identify anomalous access patterns, app-to-app silent communication, and sign-in failures due to misconfiguration, expired secrets, etc.

Detect Risky Non-Interactive User Sign-Ins in Microsoft 365

Filter the high-level risky user sign-ins report to investigate non-interactive access undergone in risk scenarios, identify and assess events, and resolve issues early to maintain security.

Analyse User’s Sign-Ins Based on Authentication Type

Track the user sign-ins summary to view each identity’s sign-ins by type, including interactive and non-interactive, with insights on successes and failures.

Get Org-Wide Non-Interactive Sign-In Summary Metrics

Use the organization sign-ins summary by sign-in type report to analyze total, successful, failed, and interrupted sign-ins irrespective of the type, across your entire tenant within any chosen time range. 

Inspect Entra ID Managed Identity Sign-In Activities

Review all managed identity sign-ins to track service-to-service authentications and silent token refresh activities that securely access Azure resources. 

Overall, AdminDroid’s Entra ID management tool delivers comprehensive visibility into non-interactive user sign-in events and their activities. Beyond that, it offers actionable insights that help you securely manage all Entra ID objects and gives you full visibility into governance to empower overall control.

Explore a full range of reporting options
Download Live Demo

Important Tips

Use the error code lookup tool to decode non-interactive sign-in error codes in Microsoft Entra ID, identify their causes, and view recommended fixes.

Configure diagnostic settings in Entra to stream non-interactive sign-in logs to Storage Account, Log Analytics, or Event Hub for real-time monitoring, auditing, and alerts.

Enforce non-persistent browser sessions for administrators to require re-authentication at every sign-in and block unauthorized non-interactive access.

Common Errors and Resolution Steps

Having trouble with non-interactive sign-ins? Let’s learn how to troubleshoot some of the common errors.

Error The term 'Get-MgBetaAuditLogSignIn' is not recognized as the name of a cmdlet, function, script file, or operable program.

This error occurs because the ‘Microsoft.Graph.Beta’ module hasn’t been installed in your machine.

Fix To resolve this error, install the Microsoft.Graph.Beta module, before connecting to MgGraph.
Install-Module Microsoft.Graph.Beta -Scope CurrentUser   
Import-Module Microsoft.Graph.Beta

Error Get-MgBetaAuditLogSignIn : User is not in the allowed roles.

This error occurs when you do not have the required roles to access sign-in logs in Microsoft Entra ID. At a minimum, you must be assigned the Security Reader role.

Fix Contact the respective admin in your organization to provide the required role to access sign-in logs.

Error Get-MgBetaAuditLogSignIn : Calling principal does not have required MSGraph permissions AuditLog.Read.All.

This error occurs in PowerShell when executing the ‘Get-MgBetaAuditLogSignIn’ cmdlet without necessary scope permissions for accessing sign-in logs.

Fix Contact the respective admin in your organization to grant the necessary Microsoft Graph permissions, at least ‘AuditLog.Read.All’. Additionally, ensure that you are assigned at least the Security Reader role.

Error Insufficient privileges to complete the operation.

This error occurs in the Entra admin center when you try to read sign-in logs without being assigned at least the Security Reader role.

Fix Contact your Microsoft 365 administrator who manages Entra ID roles and request assignment of at least the Security Reader role, which is required to access sign-in logs.

Error Get-MgBetaAuditLogSignIn : One or more errors occurred.

This error occurs when multiple versions of the Microsoft Graph Beta PowerShell module are installed on your machine.

Fix List all available Microsoft Graph modules in PowerShell using the following cmdlet and remove old versions. 
# List all available versions of Microsoft.Graph.Beta installed on the system Get-Module -Name Microsoft.Graph.Beta -ListAvailable # Uninstall a specific version of Microsoft.Graph.Beta (e.g., version 2.29.1) Get-InstalledModule -Name Microsoft.Graph.Beta* | Where-Object { $_.Version -eq "<Version>" } | ForEach-Object { Uninstall-Module -Name $_.Name -RequiredVersion $_.Version -Force
Microsoft Entra ID
Frequently Asked Questions

Understand and Manage Non-Interactive User Sign-Ins to Boost Microsoft Entra ID Security!

What are non-interactive user sign-ins logs in Microsoft Entra ID?
What happens during a non-interactive user authentication in Microsoft 365?
How to handle failed non-interactive sign-ins from a disabled user account?
How can you get the last successful non-interactive sign-in for a user in Entra ID?
How are non-interactive sign-in logs in Entra ID influenced by token lifetimes and session settings?

1. What are non-interactive user sign-ins logs in Microsoft Entra ID?

For a perfect understanding of non-interactive user sign-in logs, first it’s essential to understand what non-interactive sign-ins actually are. These are sign-ins performed by apps, service accounts, or automation accounts without prompting the user for credentials.

Within this category, non-interactive user sign-ins specifically refer to sign-ins performed by actual user accounts in a non-interactive manner. The following section explains how these differ from other types of non-interactive sign-ins.

Non-interactive user sign-ins in Microsoft Entra ID

A non-interactive user sign-in occurs when an account accesses a resource without manual user interaction. This typically happens through background authentication processes like OAuth 2.0 token refreshes or silent sign-ins by Microsoft 365 apps. These sign-ins don’t prompt the user for credentials or perform an authentication factor.

In Microsoft Entra ID, these sign-ins are logged under the category "User sign-ins (non-interactive)". This helps admins distinguish automated user activity from direct user-initiated sign-ins.

Interactive vs non-interactive user sign-ins in Microsoft 365

At this point, it’s natural to wonder how non-interactive sign-ins differ from interactive ones. Here’s a breakdown of their differences.

interactive-vs-non-interactive-user-sign-ins

2. What happens during a non-interactive user authentication in Microsoft 365?

Non-interactive user sign-in is not a standalone process. It can only be initiated after a successful interactive user authentication. This initial step is crucial, as it establishes trust and verifies that the user is legitimate.

Workflow behind non-interactive user authentication

When a user manually enters credentials to sign in, the OAuth 2.0 authorization code flow is triggered. After successful authentication, Microsoft Entra ID issues two tokens in JSON Web Token (JWT) format: an access token and a refresh token. The access token is valid for 60 to 90 minutes. The refresh token is valid for 24 hours for single-page apps, and up to 90 days for other scenarios. These tokens are securely stored by the client application.

When the access token expires, the application uses the refresh token to obtain a new access token silently, without prompting the user again. This process is known as non-interactive user authentication. Here’s how it works in the background:

  • First, the client app or OS component calls the Security Support Provider Interface (SSPI), which acts as a bridge between the app and the system’s security providers.
  • Then, the SSPI selects an appropriate Security Support Provider (SSP). In this case, it chooses OAuth 2.0, which is commonly used in cloud services to handle authentication.
  • The selected SSP interacts with the Local Security Authority (LSA) to validate stored credentials using the appropriate authentication package.
  • Once verified, the authentication response flows back through the authentication package»LSA»SSP»SSPI»Client App.
  • Once validation is complete, a new access token is silently issued, allowing the application to access protected resources without interrupting the user.

Here’s a visual representation of the authentication process:

non-interactive-user-authentication

Example scenario: When a user signs in to a Microsoft 365 service through a browser for the first time and enters their credentials, it stores the authentication access tokens. On subsequent sign-in attempts, the browser does not prompt for credentials again. Instead, it reuses the stored access tokens to authenticate the session. This process continues seamlessly and once the refresh tokens expire, the user will be signed out and prompted to sign in again.

3. How to handle failed non-interactive sign-ins from a disabled user account?

As admins, you may occasionally notice failed non-interactive sign-in logs from a former employee’s disabled accounts. This is because, even after the account is disabled, certain apps can continue to use cached refresh tokens until it expires.

This allows the session to persist, silently renewing access tokens until the refresh token expires. However, this ongoing token activity can still trigger failed non-interactive sign-ins and may pose a potential security risk.

To resolve this issue, when a user is disabled, their refresh tokens should also be revoked to prevent threats from cached credentials.

Revoke user session using Microsoft Entra admin center

You can remove all active sessions for a disabled account by following the steps below.

  • In the Entra portal, navigate to Entra ID»Users.
  • Select the disabled user account and click on Revoke sessions
  • Select Yes in the confirmation prompt to revoke the user’s sessions.
revoke-user-session-using-entra

Revoke session tokens using Microsoft Graph PowerShell

Follow the steps below to revoke the session tokens of a disabled user through PowerShell.

  • Connect to the Microsoft Graph PowerShell by executing the following command.
    Connect-MgGraph -Scopes “User.ReadWrite.All”
  • Then, execute the following cmdlet to revoke all refresh tokens for the disabled user. 
    Revoke-MgUserSignInSession -UserId “<DisabledUserUPN>
    Replace <DisabledUserUPN> with the UPN of the target user whose sessions you want to revoke.

4. How can you get the last successful non-interactive sign-in for a user in Entra ID?

Sometimes a user appears inactive because their last interactive sign-in was months ago. You might think it’s safe to disable the account, but it could still be running essential background processes like scripts, automated workflows, or API calls. Removing it without checking could disrupt these operations.

By looking at the last successful non-interactive sign-in in Entra ID, you can verify true inactivity and avoid accidentally breaking critical processes.

Get last successful non-interactive user sign-in using Entra admin center

  • To get started, navigate to Entra ID»Users in the Entra portal and select the desired user.
  • In the Overview tab, locate the Sign-ins tile. 
  • Here, you can see the timestamp of the user’s last successful non-interactive sign-in, displayed in local time format.
last-non-interactive-user-sign-in-using-entra

Note: This view shows only the last sign-in timestamps, which may not be accurate sometimes. For full and accurate details like resource ID, resource name, and status, check the sign-in logs.

Track last successful non-interactive user sign-ins using PowerShell

Microsoft Graph PowerShell allows you to find the last non-interactive sign-in date and time of a user using the 'lastNonInteractiveSignInDateTime' property. To retrieve both the last interactive and non-interactive sign-ins for all users in local time format instead of UTC, we’ve created a custom PowerShell script.

Download and execute the script to uncover non-interactive sign-ins for both internal and external users, along with comprehensive corresponding details.

M365LastSuccessfulSigninReport.ps1
last-non-interactive-user-sign-in-using-script

Note: To retrieve only the last non-interactive or interactive last successful sign-in details for external users, execute the script as shown below. 

.\M365LastSuccessfulSigninReport.ps1 -ExternalUsersOnly

Quickly track the last successful Microsoft 365 non-interactive user sign-ins with AdminDroid!

  • Use AdminDroid’s column customization feature in the all users report to include Last Non-Interactive Sign-In Time to quickly see the most recent background sign-in activity for each user. 
  • The report also provides advanced filtering options and supports exports in multiple formats such as HTML, PDF, CSV, PDF+, and more, making it easy to analyze and share insights across your team.
track-user-last-logon-time-using-admindroid

5. How are non-interactive sign-in logs in Entra ID influenced by token lifetimes and session settings?

When reviewing non-interactive sign-ins in Microsoft Entra ID, you may notice repeated sign-in events occurring within short time intervals.This pattern is driven by token lifetime and session settings. Longer-lived refresh tokens and persistent sessions increase the frequency of non-interactive sign-ins recorded in the logs. This is because applications and services silently refresh tokens in the background without user interaction. 

By default, refresh tokens can remain valid for up to 90 days, which reduces authentication prompts but generates a steady stream of log entries. Similarly, the Microsoft 365 “Stay signed in?” (Keep Me Signed In – KMSI) setting creates persistent browser sessions, allowing apps to renew access tokens silently and further increasing non-interactive sign-ins. 

You can reduce these non-interactive authentication tenant-wide and improve security by disabling the KMSI prompt.

Disable ‘Stay signed in?’ prompt in Microsoft 365

  • In the Entra portal, navigate to Entra ID»Users»User settings
  • From there, you can find the Show keep user signed in setting. 
  • Toggle this setting to No and click Save to apply the changes.
disable-stay-signed-in-prompt-in-entra

Once this is done, users will be prompted to sign in interactively very often, when reopening the browser, switching devices, etc. This approach enhances your organization’s security posture by limiting unattended persistent sessions.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Microsoft Entra ID
How to Track Non-Interactive User Sign-Ins in Microsoft Entra ID
Microsoft Entra ID Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo