This Elastic rule identifies Azure AD Graph (graph.windows.net) requests that originate from network sources outside the major public-cloud and Microsoft ASN ranges typically associated with legitimate AAD Graph activity. Adversaries often host infrastructure on residential ISPs, VPS providers, or anonymising services, which yields an ASN distribution that differs from Microsoft, AWS, GCP, Akamai, Cloudflare, and other common legitimate ASNs. The rule ingests Azure AD Graph Activity Logs (logs-azure.aadgraphactivitylogs-*) and surfaces activity where a user is present and the source ASN falls outside a curated allowlist. It maps to MITRE ATT&CK technique T1078 (Cloud Accounts) under Initial Access, highlighting sign-ins or token use from unusual sources. The rule includes a triage path (ASN and geographic context, user behavior, and caller tooling fingerprints) and remediation guidance (token revocation, session termination, device review, and conditional access controls) to contain potential misuse. This detection focuses on unusual first-party access patterns and is designed to prompt deeper investigation into tenant-wide impact when multiple users share the same anomalous ASN within the window.