This detection rule identifies the first occurrence of an OAuth 2.0 authorization code grant flow involving a specific combination of client application, target resource, and user principal within Microsoft Entra ID. The rule flags instances when developer tools such as Azure CLI, Visual Studio Code, and Azure PowerShell are accessed by users who have never previously interacted with these tools or when applications under the Family of Client IDs (FOCI) access the now-deprecated Windows Azure Active Directory. Such behaviors are suspicious and may indicate OAuth phishing attacks, including methods like ConsentFix where attackers obtain authorization codes to gain unauthorized access to user accounts. Investigative steps include checking user logins, application access, resource IDs, geographic source of access, situations of non-interactive sign-ins, and monitoring for subsequent activities that may be linked to the compromised OAuth flow. Remediation actions involve user confirmation, token revocation, and educational efforts about potential phishing risks.