This detection rule identifies instances where Multi-Factor Authentication (MFA) is disabled within Microsoft 365 environments. The rule is based on monitoring audit logs for specific operations that indicate the disabling of strong authentication measures, which could be indicative of malicious activities or security policy violations. The specific filter criteria focus on operations that contain the phrase 'Disable Strong Authentication.' If such operations are detected, the alert triggers, marking a high-level concern due to the potential for increased risk of unauthorized access. The rule is positioned to mitigate risks associated with persistence and account compromise. False positives are deemed unlikely, reinforcing the reliability of this detection mechanism.