This rule detects unusual Azure Entra ID applications that are requesting authentication on behalf of a user principal. This activity is considered rare and potentially indicative of a security breach wherein an attacker may have stolen credentials and is utilizing them to impersonate a user. The rule leverages the Azure Sign-in logs to capture instances where an app ID not typically associated with the user is attempting to authenticate. A detailed analysis of user sign-in history, authentication protocols, and error codes assists in differentiating between legitimate usage and potential attack vectors. Investigation steps include identifying source IP addresses, analyzing affected user roles, reviewing authentication errors, and ensuring compliance with conditional access policies to mitigate unauthorized access.