The rule detects sign-in events that exploit third-party identity providers (IdPs) within an Okta environment. It is designed to identify unauthorized IdP sign-ins that may be employed by adversaries to gain access to Okta tenant accounts. This rule identifies both the addition of unauthorized IdPs and subsequent sign-in attempts using these IdPs. Investigation steps include examining relevant Okta fields for response actions surrounding the IdP and ensuring it is authorized. Remediation may involve deactivating unauthorized IdPs, resetting passwords, enforcing MFA, and blocking suspicious IPs or devices. The potential for false positives exists if the third-party IdP is legitimate or misconfigurations occur in authorized IdPs. Integrating with the Okta Fleet or using compatible data structures is required for effective use.