Skip to Content

Microsoft Entra ID Sign-In Logs: A Technical Deep Dive Into Visibility Gaps

29 January 2026 by
Jaspreet Singh

Microsoft Entra ID Sign-In Logs: A Technical Deep Dive Into Visibility Gaps

Many security teams assume Microsoft Entra ID sign-in logs provide a complete view of authentication activity.

However, these logs do not capture the entire picture.

This article explains why Entra ID sign-in logs may appear normal even when risky behavior occurs, and outlines the technical factors that create these visibility gaps.

This analysis is based on real tenant observations and controlled experiments documented on f11.ca (Experiment ID: EID-EXP-002).

Hands-on lab (F11)

The Core Misconception About Sign-In Logs

Most defenders treat sign-in logs as event-based security evidence:

“If there’s no sign-in event, nothing happened.”

In reality, Entra ID authentication is token-driven rather than session-driven, and this distinction is significant. (Understanding Tokens in Microsoft Entra ID, 2024)Sign-in logs primarily record token issuance, not:

  • Continuous access
  • Session reuse
  • Token replay
  • Service-to-service access

This distinction is the primary cause of most visibility gaps. (Understanding Tokens in Microsoft Entra ID, 2023)

Authentication vs Authorization vs Session State

It is important to clarify three concepts that are often conflated:

1. Authentication (Logged)

  • Happens when Entra ID issues an access or refresh token
  • This is what appears in sign-in logs.

2. Authorization (Partially Visible)

  • Token scopes, resource access
  • Logged inconsistently depending on workload

3. Session Continuity (Mostly Invisible)

  • Token reuse
  • Silent token refresh
  • Persistent browser sessions
  • Rarely generates new sign-in events. (Conditional Access adaptive session lifetime policies - Microsoft Entra ID, 2025)

Understanding these distinctions helps explain the behavior observed in sign-in logs.

Why Multiple Locations Don’t Always Trigger Alerts

A common expectation is as follows:

“If a user signs in from two different locations, Entra ID should flag it.”

Technically, Entra ID evaluates risk at token issuance time, not continuously. (Build resilience by using Continuous Access Evaluation in Microsoft Entra ID, 2023)If:

  • A refresh token is still valid.
  • MFA was previously satisfied
  • Conditional Access conditions are unchanged.

Then:

  • A new interactive sign-in is not required.
  • No new sign-in event is logged.
  • Location change may go unchallenged. (Continuous access evaluation in Microsoft Entra, 2024)

This is not a bug; it reflects how token trust operates.

MFA “Satisfied” ≠ Continuous Protection

The sign-in log field Authentication Details → MFA Satisfied is often misinterpreted. What it actually means:

  • MFA was satisfied at least once
  • Within the token or session lifetime

What it does not mean:

  • MFA is continuously re-evaluated
  • MFA was enforced for each access attempt
  • The session was re-challenged (Sign-in event details for Microsoft Entra multifactor authentication - Microsoft Entra ID | Microsoft Learn, 2025)

This leads to a potentially dangerous assumption:

“MFA is protecting this session.”

In reality, MFA protected only a single authentication event, not subsequent activity.

Modern authentication relies heavily on:

  • Refresh tokens
  • Primary Refresh Tokens (PRT)
  • Brokered authentication (especially on Windows)

These flows:

  • Issue new access tokens silently.
  • Do not always create interactive sign-in events.
  • These often appear as “Non-Interactive” events or may not appear in logs at all. (Non-interactive sign-in logs - Microsoft Entra ID, 2025)

From a logging perspective:

  • Activity happens
  • Access continues
  • Logs may remain silent.

Why Security Defaults Don’t Fix This

Security Defaults are:

  • Authentication-centric
  • Designed for initial protection
  • Not visibility-focused

They do not:

  • Shorten token lifetimes aggressively.
  • Enforce frequent reauthentication
  • Provide session-level anomaly detection.
  • Correlate identity + workload behavior (Protecting Tokens in Microsoft Entra ID, 2024)

This is why tenants with Security Defaults enabled can still show:

  • Long-lived trusted sessions
  • Cross-location access
  • Minimal logging noise

The Log Data Is Not Wrong — The Interpretation Is

The most important takeaway:

Entra ID logs are technically accurate, but operationally incomplete. (Microsoft Entra ID vulnerability allows full account takeover – and takes barely any effort, 2025)

They tell you:

  • When trust was established

They do not tell you:

  • How that trust was later reused
  • Where the session traveled
  • Whether access patterns changed after authentication

Without correlation, logs provide false reassurance.

What Actually Improves Visibility (Conceptually)

This is not a tooling article, but from an architectural standpoint, visibility improves when you:

  • Shorten sign-in frequency strategically.
  • Treat refresh tokens as high-risk assets.

  • Correlate sign-in logs with:

    • Audit logs
    • Workload access logs
    • Endpoint context
  • Monitor behavior after authentication, not just authentication itself.

Identity security is not about blocking sign-ins — it’s about understanding what happens after trust is granted.

Final Thoughts

Microsoft Entra ID is working exactly as designed.

The issue lies not with the platform, but with the assumption that sign-in logs provide complete security insight.

If you treat sign-in logs as a single data source rather than the full truth, your detection and investigation posture improves immediately.


Related Evidence & Guidance

Hands-on Lab (F11)

 Business Risk View


About the Author

Jaspreet Singh

Identity & Security Engineer

Hands-on Entra ID experiments, real-world attack paths, and evidence-based security analysis.

References

(2024). Understanding Tokens in Microsoft Entra ID. Microsoft Learn. https://learn.microsoft.com/en-us/Entra/identity/devices/concept-tokens-microsoft-Entra-id

(2023). Understanding Tokens in Microsoft Entra ID. Microsoft Entra ID | Microsoft Learn. https://learn.microsoft.com/en-us/entra/identity/devices/concept-tokens-microsoft-entra-id

(2025). Conditional Access adaptive session lifetime policies - Microsoft Entra ID. Microsoft Learn. https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-session-lifetime

(2023). Build resilience by using Continuous Access Evaluation in Microsoft Entra ID. Microsoft Entra. https://learn.microsoft.com/en-us/entra/architecture/resilience-with-continuous-access-evaluation

(2024). Continuous access evaluation in Microsoft Entra. Microsoft Learn. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation

(2025). Sign-in event details for Microsoft Entra multifactor authentication - Microsoft Entra ID | Microsoft Learn. Microsoft Learn. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-reporting

(2025). Non-interactive sign-in logs - Microsoft Entra ID. Microsoft Learn. https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-noninteractive-sign-ins

(2024). Protecting Tokens in Microsoft Entra ID. Microsoft Entra ID | Microsoft Learn. https://learn.microsoft.com/en-us/entra/identity/devices/protecting-tokens-microsoft-entra-id

(June 26, 2025). Microsoft Entra ID vulnerability allows full account takeover – and takes barely any effort. Semperis. https://www.techradar.com/pro/security/microsoft-entra-id-vulnerability-allows-full-account-takeover-and-takes-barely-any-effort


Default Microsoft Entra ID Security Is Often Overestimated