Detects a correlated sequence where an attacker leverages Entra ID device-code authentication to redeem an access token against the legacy Azure AD Graph audience (00000002-0000-0000-c000-000000000000) from an unmanaged device, followed by immediate token use to enumerate directory data via Microsoft Graph. This pattern indicates device-code phishing and token harvesting, where the attacker uses the compromised identity to query users, groups, service principals, applications, role assignments, directory objects, policies, OAuth permission grants, or tenant details within a short window (typically within 5 minutes). The rule ties together Entra ID sign-in logs (device_code flow, unmanaged device) and Graph activity logs (directory enumeration) to identify malicious token reuse and follow-on discovery activity that would otherwise bypass user credentials. It highlights attacker-in-the-middle behavior (token redeemed on one IP, Graph activity from another) and surfaces in environments where both Entra ID Sign-in Logs and Azure AD Graph Activity Logs are ingested. The investigation guidance maps to credential access and discovery techniques, with remediation focusing on token revocation, session termination, and conditional access adjustments to block device-code flows from unmanaged devices or untrusted apps. In short, the rule detects a high-risk path where device-code phishing yields a token used to enumerate critical cloud directory data under the attacker’s control.