This detection rule monitors activities in Azure Active Directory (Azure AD) where a previously disabled user account is enabled and then has its password reset in a rapid sequence (within 2 minutes). Such behavior is critical to observe, as it may suggest malicious activity by an adversary with administrative privileges who is attempting to create or regain backdoor access to a system. The rule utilizes Azure AD's operational logs to track the enabling and password reset operations, using a transaction framework to ensure the sequence of events is accurately captured. By correlating the commands 'Enable account', 'Reset password (by admin)', and 'Update user', this analytic determines potential compromises that could lead to unauthorized access and the exfiltration of sensitive data.