This rule is designed to detect suspicious OAuth 2.0 token requests issued by the Microsoft Authentication Broker that target the Device Registration Service. An identification of the adrs_access scope in the authentication details indicates unusual access attempts to the ADRS, which could signify potential abuse, such as unauthorized persistence through the acquisition of a Primary Refresh Token (PRT). The rule queries Azure sign-in logs for events where the specified app ID and resource ID match the Microsoft Authentication Broker and Device Registration Service respectively. It also specifies that the request must utilize a refresh token and be issued by a member user type, aiming to filter out standard sign-ins to minimize false positives. The rule includes comprehensive investigation steps to verify the authenticity of the token request and suggests mitigative actions if unauthorized access is confirmed, including revoking access tokens, reviewing sign-in activities, and enforcing MFA for affected user accounts.