This rule detects the addition or modification of external authentication methods (EAM) in Microsoft Entra ID, which can be exploited by adversaries to bypass multi-factor authentication (MFA) and gain unauthorized access to user accounts. The detection leverages Microsoft Graph API logs, focusing on specific actions indicating configuration changes, specifically targeting requests with the PATCH method that alter authentication methods policy. Key investigation tasks include validating the action through the event logs, confirming user identity and application ID, examining request origins, and checking for privileged scope usage in the modifications. The rule also includes guidelines for assessing false positives, as legitimate activities may trigger alerts due to administrative changes. Response strategies emphasize verifying authorization for changes, monitoring for repeat activities, and employing stricter access policies to mitigate future risks.