This detection rule is designed to identify potentially unauthorized access to Microsoft Entra ID accounts when users sign in from atypical devices. The rule operates by comparing the device used for a sign-in against established patterns of typical device usage by the user. It leverages Microsoft Entra ID Sign-In logs to analyze aspects such as the unique device ID, incoming token types, authentication categories, and geographic location of sign-ins. Recent sign-ins that deviate from expected patterns might indicate a compromise, especially if the sign-in involves new devices that the user has not previously used, or if the attempt comes from unusual geographic locations. In addition to identifying potentially compromised situations, the rule outlines specific investigation steps that security teams can take, such as checking device details, user risk levels, and the apps used during sign-ins. It takes into account the risk of false positives, where legitimate users might sign in from new devices, and thus recommends adjusting the detection thresholds accordingly. Upon determining a suspicious sign-in, the rule prescribes immediate actions, such as revoking access tokens, disabling accounts, and reviewing recent user activities for any signs of compromise.