Last Updated: March 2026
If you regularly monitor authentication activity in Microsoft 365 or Microsoft Entra ID (formerly Azure Active Directory), you may have noticed an unusual status appearing in the sign-in logs: “Interrupted.”
Unlike Success or Failure, the Interrupted status is often confusing for administrators because it does not clearly indicate whether the login attempt succeeded, failed, or was blocked by policy.
In security monitoring platforms such as Microsoft Sentinel, Defender XDR, or third-party SIEM tools, these entries can generate alerts, trigger investigations, or create unnecessary noise if misunderstood.
This guide explains:
- What the Interrupted sign-in status actually means
- The most common reasons it appears in Microsoft 365 logs
- How Conditional Access, MFA, and user behavior trigger this status
- How to investigate these events in a real-world enterprise environment
If you manage identity security, cloud authentication, or SIEM ingestion, understanding this status will help you avoid false positives, improve log analysis, and strengthen identity monitoring.
Quick Fix Summary
If you see “Interrupted” in Microsoft 365 sign-in logs, the most common causes are:
- The user abandoned the login process before completing authentication.
- Conditional Access policies required additional steps (such as MFA) that were never completed.
- The authentication session timed out before completion.
- The user closed the browser or authentication window during login.
In most environments, Interrupted sign-ins are not security incidents, but they are useful indicators of authentication friction or policy enforcement.
What Does “Interrupted” Mean in Microsoft 365 Sign-In Logs?
Within Microsoft Entra ID authentication logs, the Interrupted status indicates that the authentication process started but did not finish.
The login flow reached an intermediate step but never completed the full authentication sequence.
In other words:
| Status | Meaning |
|---|---|
| Success | Authentication completed successfully |
| Failure | Authentication attempt was rejected |
| Interrupted | Authentication started but stopped before completion |
This typically happens before the final token is issued.
The identity platform began processing the request but the authentication pipeline terminated prematurely.
Where You See the “Interrupted” Status
Administrators commonly encounter this status in:
- Microsoft Entra ID Sign-in Logs
- Microsoft Sentinel log ingestion
- Defender XDR Advanced Hunting
- Third-party SIEM platforms
- Conditional Access monitoring reports
Fields where this appears include:
- Status
- Authentication Details
- Conditional Access evaluation
- Failure reason
Most Common Causes of Interrupted Sign-Ins
In real-world enterprise environments, the majority of Interrupted sign-ins are benign. Below are the most common reasons.
1. User Abandoned the Login Process
This is the most frequent cause.
Example scenario:
- User opens Microsoft 365
- Enters their username
- The MFA prompt appears
- User closes the browser or navigates away
The authentication pipeline stops and the sign-in is recorded as Interrupted.
This commonly happens when:
- Users accidentally start authentication
- Multiple login windows are opened
- A user begins login but switches devices
2. Conditional Access Required MFA but It Was Never Completed
If Multi-Factor Authentication is required, Microsoft Entra ID waits for the second authentication factor.
If the MFA step never occurs, the login will eventually be marked as Interrupted.
Example flow:
- User enters credentials
- Conditional Access policy requires MFA
- MFA prompt is sent to the user
- The user ignores the prompt
Result:
The login remains incomplete and the session is logged as Interrupted.
3. Browser or Authentication Session Timeout
Authentication flows rely on session tokens that have time limits.
If a user waits too long between authentication steps, the process expires.
Example:
- User begins login
- Gets distracted
- Returns 10–15 minutes later
- The authentication token has expired
This results in an Interrupted event.
4. Application Redirect Flow Was Broken
Some cloud applications rely on OAuth redirects during authentication.
If this redirect fails or is interrupted, authentication may not finish.
Common causes include:
- Browser extensions blocking redirects
- Third-party cookie restrictions
- Network filtering or proxy interference
- Endpoint security products interrupting sessions
5. Conditional Access Policy Evaluation Stopped the Flow
In some cases, Conditional Access policies evaluate the request but the user never completes the required action.
Examples:
- Device compliance required
- Hybrid join verification
- Terms of Use acceptance
- App protection policy requirements
If the user never completes the step, the authentication flow remains incomplete.
How to Investigate an Interrupted Sign-In
If you are reviewing logs for security investigations, follow this structured process.
Step 1: Open Microsoft Entra Sign-In Logs
Navigate to:
Microsoft Entra Admin Center
→ Identity
→ Monitoring
→ Sign-in Logs
Locate the Interrupted event.
Step 2: Review the Authentication Details
Check the Authentication Details section.
Look for:
- MFA requested but not completed
- Password entered successfully
- Device authentication status
This helps determine where the process stopped.
Step 3: Check Conditional Access Results
Expand the Conditional Access tab.
Look for:
- Policies triggered
- MFA enforcement
- Device compliance requirements
- Location restrictions
Often the login stopped waiting for a policy requirement.
Step 4: Review the Client App and Device Information
The Client App and Device fields can reveal useful patterns.
Example indicators:
- Legacy authentication clients
- Mobile device authentication
- Browser-based login attempts
In some cases, mobile apps start authentication flows that the user never finishes.
Real-World Example From a Security Operations Perspective
In large Microsoft 365 environments (500–5000 users), it’s common to see thousands of Interrupted events daily.
Typical causes include:
- Users dismissing MFA prompts
- Mobile email clients starting background authentication
- Conditional Access requiring device compliance
- Expired browser sessions
When sending identity logs to SIEM platforms like Microsoft Sentinel, inexperienced analysts sometimes misinterpret these events as:
- brute-force login attempts
- authentication failures
- suspicious activity
In reality, most Interrupted events represent incomplete user activity rather than malicious behavior.
However, they can still be useful signals when combined with other indicators such as:
- impossible travel events
- repeated MFA prompts
- high-risk sign-ins
Additional Tips for Identity Monitoring
Experienced administrators often implement the following practices:
Filter Interrupted Events in SIEM Alerts
Avoid alert fatigue by filtering common authentication noise.
Example strategy:
- Alert on failed logins
- Alert on risky sign-ins
- Exclude standalone Interrupted events
Investigate Unusual Patterns
Interrupted events can still be useful when you see:
- Hundreds from the same IP address
- Repeated attempts targeting one user
- Unusual geographic locations
These may indicate credential-stuffing attempts that never completed authentication.
Monitor MFA Fatigue Attacks
Interrupted events may appear during MFA fatigue attacks, where attackers repeatedly trigger MFA prompts.
Watch for:
- High volume MFA attempts
- User denying MFA repeatedly
- Interrupted followed by failed attempts
FAQ
Why do Microsoft 365 sign-in logs show “Interrupted”?
This status appears when the authentication process starts but never completes. The user may abandon the login, ignore an MFA prompt, or the session may expire before authentication finishes.
Is an Interrupted sign-in a security risk?
Usually not. Most interrupted events are caused by users abandoning login attempts or failing to complete MFA. However, patterns of repeated interrupted logins may indicate suspicious activity.
Can Conditional Access cause Interrupted sign-ins?
Yes. If Conditional Access requires MFA, device compliance, or Terms of Use acceptance and the user does not complete the step, the login may be recorded as Interrupted.
Do Interrupted sign-ins count as failed login attempts?
No. They are classified separately from failed authentication attempts because the process never completed.
Should Interrupted events trigger SIEM alerts?
In most environments they should not trigger alerts on their own, but they can be useful when correlated with other signals like impossible travel, high-risk sign-ins, or suspicious IP addresses.
Conclusion
The “Interrupted” status in Microsoft 365 sign-in logs is one of the most misunderstood authentication events in the identity monitoring ecosystem.
Rather than indicating a failed login or malicious activity, it usually represents a login process that started but was never completed.
Understanding the underlying causes—such as **MFA prompts, Conditional Access requirements, session timeouts, and user behavior—**helps administrators correctly interpret identity logs and reduce false alarms in SIEM systems.
For organizations ingesting identity data into security platforms like Microsoft Sentinel, properly interpreting these events is critical for maintaining accurate threat detection and avoiding alert fatigue.
Last Updated
Last Updated: March 2026
This guide reflects the latest authentication behavior and terminology used in Microsoft Entra ID and Microsoft 365 sign-in logs.
From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.