The detection rule titled 'Azure AD Only Single Factor Authentication Required' aims to identify instances where users are authenticating to Azure Active Directory (AD) without multi-factor authentication (MFA) in place. This rule targets scenarios where the system does not enforce higher security measures, thus presenting potential vulnerabilities for unauthorized access. The detection logic is straightforward; it selects events from Azure signin logs where the authentication status is 'Success' and the required authentication level is 'singleFactorAuthentication'. By monitoring these events, security teams can pinpoint instances of low security practices, particularly in situations where MFA should be mandatory to safeguard organizational assets. False positives can occur if a single factor authentication is explicitly authorized by a system administrator. This detection contributes to the overall security posture by ensuring compliance with MFA requirements and facilitating awareness of potential risks related to initial access and credential theft. The rule is part of broader threats formulated in the MITRE ATT&CK framework, including tactics that may be associated with credential access, such as T1078 (Valid Accounts) and T1556 (Credential Dumping).