This detection rule is designed to identify potential unauthorized access attempts using the Microsoft Authentication Broker in Microsoft Entra ID sign-in logs. It focuses on identifying suspicious activities that may indicate an adversary utilizing a compromised OAuth refresh token or Primary Refresh Token (PRT) to impersonate a user and gain access to various Microsoft services. The detection criteria involve monitoring sign-ins from multiple unique IP addresses across several services, specifically Microsoft Graph, Device Registration Service (DRS), and Azure Active Directory (AAD), within a short time span. It collects relevant fields such as timestamps, identities, user principal names, incoming token types, user agents, and operating systems to help analysts investigate possible misuse of authentication tokens and devices. False positives are noted for legitimate registrations but are uncommon for the scenario described, thus requiring careful analysis of any flagged activity.