This rule detects modifications to OAuth application redirect URIs (ReplyUrls) for Microsoft Entra ID (Azure AD) applications by inspecting Azure audit logs. Adding an attacker-controlled redirect URI to an existing trusted application allows interception of OAuth authorization codes during users’ normal login flows, enabling token theft without requiring a new application registration or consent event. The detection targets updated application registrations where the redirect URI (ReplyUrls/AppAddress) was modified, as captured in Entra ID audit events. The approach emphasizes comparing old vs. new values for the modified property, and correlates the activity with the initiating actor, domain hosting, and application permissions to assess risk. The rule maps to MITRE techniques for modifying authentication (T1556) and stealing access tokens (T1528), under persistence and credential access tactics. The rule includes a risk score of 47 and a medium severity, with guidance for triage, investigation, and response. False positives include localhost/loopback URIs for development or CI/CD-driven URI updates, which should be evaluated against the application's sensitivity and ownership. Remediation steps advise removing unauthorized redirect URIs, revoking tokens issued since the modification, and reviewing sign-ins for unusual activity; if an externally controlled URI was added, treat as a potential token compromise and perform token revocation and user notification.