This detection rule analyzes Azure Active Directory logs to monitor for the disabling of the "risk-based step-up consent" setting in Microsoft 365. Specifically, it focuses on operations involving changes to the 'AllowUserConsentForRiskyApps' parameter, which is crucial for preventing unauthorized access to user data through OAuth-related phishing attacks. If this setting is disabled, users could unknowingly grant permissions to malicious applications, exposing sensitive data and compromising organizational security. The rule uses Office 365 management activity events and applies a search query to identify when administrators have modified the setting. Alerts generated by this rule require careful validation to distinguish between legitimate changes versus potential security risks.