This detection rule identifies potential unauthorized access via device code authentication with an Azure broker client for Microsoft Entra ID. Attackers can exploit Primary Refresh Tokens (PRTs) that are leveraged in Conditional Access policies, allowing them to bypass multi-factor authentication (MFA) and gain access to Azure resources. The rule is structured to monitor sign-ins that successfully use device code authentication linked to a specific application ID (29d9ed98-a469-4536-ade2-f981bc1d605e). The rule utilizes Azure Activity and Sign-In logs to evaluate credentials being used in potentially malicious contexts. It highlights key investigation steps and emphasizes the need to assess associated user account behavior to identify any deviations from normal activity. Furthermore, it accounts for common false positives due to legitimate uses of device code authentication and outlines necessary response actions to remediate detected threats.