This rule detects changes made to the OpenID Connect (OIDC) discovery URL in Azure Entra ID's Authentication Methods Policy. Such changes are critical as they can allow attackers to redirect authentication processes to their own identity providers, enabling unauthorized access while bypassing multi-factor authentication controls. The rule focuses on identifying modifications to the OIDC discovery URL that may indicate an attack or compromise within a given Azure tenant. Detection is achieved using Azure audit logs, specifically monitoring any updates made to the authentication methods policy. If changes to the OIDC URL appear suspicious, the rule recommends a series of investigative actions to verify legitimacy and, if necessary, restore the policy to prevent potential exploitation.