This detection rule identifies changes to user risk and Multi-Factor Authentication (MFA) registration policies within Azure services. Such modifications can be exploited by attackers to either bypass MFA or weaken security thresholds, thereby facilitating unauthorized access, maintaining persistence within systems, and executing further attacks. The rule captures events logged by the Azure Active Directory (AAD) Management User Experience that are related to policy updates, specifically tracking operations that include Modification of user risk and MFA policies. Alerting on these modifications is essential for maintaining security integrity and proactively responding to potential risks