The Azure Domain Federation Settings Modified detection rule monitors any changes to domain federation settings within the Microsoft Entra ID environment. The primary threat is from adversaries gaining unauthorized access to administrative credentials, enabling them to alter federation trust configurations and OpenID Connect (OIDC) discovery endpoints. Such alterations can allow attackers to federate Azure tenants with their own identity providers, potentially facilitating unauthorized access and circumventing multi-factor authentication (MFA). If successful, these modifications can provide attackers persistent access and enable them to redirect authentication processes to their malicious infrastructure. To mitigate the risk, the rule advises administrators to closely monitor audit logs for any alterations related to federation settings and to confirm any legitimate modifications through proper change management protocols.