Detections detect when a custom domain is added or verified in a Microsoft Entra ID (Azure AD) tenant. These steps are prerequisites to configuring domain federation, which can be abused by adversaries to route authentication through a malicious identity provider (Golden SAML). While domain additions and verifications are legitimate admin activities, they are relatively infrequent and should be investigated when observed outside normal change management. The rule monitors Azure Entra ID Audit Logs (DirectoryManagement category) for actions such as Add unverified domain or Verify domain with a successful outcome. It relies on the azure.auditlogs data stream (Azure integration) to surface these events. Analysts should correlate with change requests, IT workflows, and subsequent federation or domain authentication changes to determine risk. Potential signs of compromise include a domain added by an unexpected actor, a domain that subsequently becomes federated, or related authentication redirection events. Investigation steps include validating the actor (initiated_by.user.userPrincipalName and IP), identifying the domain name from target_resources, confirming legitimacy, and checking for follow-on federation configuration changes. False positives include legitimate tenant setup, expansion, mergers, or automated provisioning of domains. Remediation may involve removing unauthorized domains, auditing privilege levels (Global Administrator/Domain Administrator), and verifying DNS ownership and verification records. If the domain is federated, escalate per related Entra ID federation configuration rules and consider enabling Privileged Identity Management for admin roles. The rule maps to MITRE ATT&CK: TA0042 (Resource Development) and T1584/T1584.001 (Compromise Infrastructure – Domains).