The Azure Device Code Authentication with Broker Client detection rule aims to identify potential abuse scenarios involving device code authentication via the Microsoft Broker Client. This authentication method allows users to log into applications without direct username and password input, which can be exploited by adversaries. The rule monitors Azure Audit logs for specific attributes indicating whether a user engaged with the Microsoft Broker Client (identified by app ID 29d9ed98-a469-4536-ade2-f981bc1d605e). The use of device code flow in conjunction with this client may signal unauthorized access attempts, specifically indicating threats like Primary Refresh Token (PRT) theft or replay attacks that can evade MFA and Conditional Access mechanisms. By actively tracking these events, security teams can respond to possible phishing attacks or credential misuse. Organizations are encouraged to investigate unusual device code authentication patterns related to this method and verify user recognition of devices during such sign-ins.