Non-Interactive Sign-Ins by Identity Protection Risky Users
15 NI Auth Risky Users
Query
let HighRiskUsers =
AADRiskyUsers
| where RiskState in ("atRisk", "confirmedCompromised")
| where RiskLevel in ("high", "medium")
| project UserPrincipalName, RiskLevel, RiskState, RiskDetail;
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| summarize
SilentCount = count(),
Countries = make_set(Location),
IPs = make_set(IPAddress),
Apps = make_set(AppDisplayName),
LastActivity = max(TimeGenerated)
by UserPrincipalName
| join kind=inner HighRiskUsers on UserPrincipalName
| extend IPAddress = tostring(IPs[0])
| project
UserPrincipalName,
RiskLevel,
RiskState,
RiskDetail,
SilentCount,
Countries,
IPAddress,
Apps,
LastActivity
| order by SilentCount descExplanation
This query is designed to detect users who are flagged as high or medium risk by Azure AD Identity Protection but continue to authenticate silently through non-interactive token refreshes. Here's a simplified breakdown:
-
Purpose: The query identifies users who are considered at risk or compromised by Azure AD Identity Protection and are still able to authenticate without user interaction, suggesting that an attacker might have persistent access.
-
Data Sources: It uses data from Azure Active Directory, specifically:
- Non-interactive user sign-in logs.
- Risky user information.
-
Frequency: The query runs every hour and looks at data from the past hour.
-
Detection Logic:
- It first identifies users with a high or medium risk level who are marked as "at risk" or "confirmed compromised."
- Then, it checks for non-interactive sign-ins by these users within the last hour.
- It counts the number of these silent sign-ins and gathers information about the locations, IP addresses, and applications involved.
-
Output: The query outputs a list of users with details such as their risk level, the number of silent sign-ins, and associated IP addresses and applications. The results are sorted by the number of silent sign-ins.
-
Alerting: If any such activity is detected, an alert is generated with details about the user and their risk level. This alert indicates that the user is still performing non-interactive sign-ins despite being flagged as risky.
-
Incident Management: The query is configured to create incidents for detected cases, with grouping enabled to manage related alerts efficiently.
Overall, this query helps security teams identify potential security breaches where attackers maintain access to compromised accounts through non-interactive authentication methods.
Details

David Alonso
Released: May 29, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1h