Non-Interactive Sign-Ins by Identity Protection Risky Users
15 NI Auth Risky Users
Query
let HighRiskUsers =
AADRiskyUsers
| where RiskState in ("atRisk", "confirmedCompromised")
| where RiskLevel in ("high", "medium")
| project UserPrincipalName, RiskLevel, RiskState, RiskDetail;
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| summarize
SilentCount = count(),
Countries = make_set(Location),
IPs = make_set(IPAddress),
Apps = make_set(AppDisplayName),
LastActivity = max(TimeGenerated)
by UserPrincipalName
| join kind=inner HighRiskUsers on UserPrincipalName
| where SilentCount >= 5
| extend IPAddress = tostring(IPs[0])
| project
UserPrincipalName,
RiskLevel,
RiskState,
RiskDetail,
SilentCount,
Countries,
IPAddress,
Apps,
LastActivity
| order by SilentCount descExplanation
This query is designed to detect users who have been flagged as high or medium risk by Azure AD Identity Protection but are still able to authenticate silently through non-interactive token refreshes. This situation suggests that an attacker might have persistent access to the account, bypassing risk-based Conditional Access controls.
Here's a breakdown of the query:
-
Purpose: The query identifies users who are considered at risk or compromised and are still performing non-interactive sign-ins, which could indicate unauthorized access.
-
Data Sources: It uses data from Azure Active Directory, specifically the
AADNonInteractiveUserSignInLogsandAADRiskyUsers. -
Frequency: The query runs every hour and looks at data from the past hour.
-
Logic:
- It first filters users who are marked as "atRisk" or "confirmedCompromised" with a risk level of "high" or "medium".
- It then checks for non-interactive sign-ins (successful token refreshes) in the past hour.
- It counts these sign-ins and gathers information about the locations, IP addresses, and applications involved.
- It joins this data with the list of high-risk users.
- It filters for users with at least 5 non-interactive sign-ins.
-
Output: The query outputs details such as the user's principal name, risk level, risk state, number of silent sign-ins, countries, IP addresses, applications used, and the time of the last activity.
-
Alerting: If the conditions are met, an alert is generated with a high severity level. The alert includes details about the user and their risk status, and it triggers the creation of an incident.
-
MITRE ATT&CK Techniques: The query is associated with techniques like T1078 (Valid Accounts), T1528 (Steal Application Access Token), and T1550 (Use Alternate Authentication Material), indicating potential credential access, persistence, and defense evasion tactics.
Overall, this query helps security teams identify potentially compromised accounts that continue to be accessed silently, allowing them to take appropriate action to secure the accounts.
Details

David Alonso
Released: July 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1h