This analytic detection rule monitors for new Multi-Factor Authentication (MFA) methods registered for user accounts within Azure Active Directory (Azure AD). By analyzing Azure AD audit logs, the detection identifies any changes made to the MFA configurations of user accounts. The significance of this detection lies in the potential malicious intent behind such registrations; adding a new MFA method may be indicative of an attacker attempting to secure their access to a compromised account. If an attacker successfully registers a new MFA method, they could potentially bypass security measures, gain persistence, escalate privileges, access sensitive data, or perform unauthorized changes. The detection employs the `azure_monitor_aad` data source and is targeted at identifying any instances where the `StrongAuthenticationMethod` property shows changes, thereby allowing administrators to take immediate action for verification and remediation to secure affected accounts.