This rule detects unusual Resource Owner Password Credential (ROPC) login attempts by user principals in Microsoft Entra ID. ROPC is a legacy authentication method that allows applications to obtain tokens by directly providing user credentials, which bypasses multi-factor authentication (MFA). Such methods can be exploited for unauthorized access, particularly during password attacks like enumeration or spraying. This New Terms rule triggers alerts for ROPC attempts that have not been associated with the user in the last 10 days, indicating potentially abusive or unusual activities. Investigative steps include examining login logs for user principal names, authentication protocols, user agents, application identifiers, and IP details. The rule also includes guidance for assessing false positives, as legitimate applications may invoke ROPC for valid reasons. Recommendations include blocking malicious attempts, enforcing MFA, and improving conditional access policies.