This rule detects the unusual activity of users in an Azure Active Directory (Azure AD) tenant who are authenticating to other Azure AD tenants. The primary goal is to identify potential unauthorized access or account abuse that may indicate a security breach, especially in multi-tenant environments. The rule examines Azure Sign-in logs, specifically targeting successful authentication events where the user’s home tenant ID matches the tenant ID represented in the logs, while ensuring that the target tenant (where the sign-in is attempted) differs from the home tenant. A successful match indicates a user is attempting to access an unintended tenant, which could signify an initial access tactic by an attacker. False positives may arise if the cross-tenant authentication was approved by a system administrator.