This rule aims to detect potential brute-force (password spraying) attempts against Azure Entra ID user accounts by monitoring failed non-interactive single-factor authentication (SFA) login attempts. A threshold of 20 unique user login attempts that fail, within a 10-minute window, triggers the alert, indicating a possible automated attack seeking unauthorized access. Since non-interactive SFA circumvents multi-factor authentication (MFA) and conditional access policies, it represents a significant risk vector. The rule advises investigating the originating IP address, evaluating impacted user accounts, examining authentication methods, and analyzing failure error codes for further insights into the attack. It includes guidance on mitigating false positives from legitimate automation processes and advises on response actions such as blocking malicious IPs and enforcing stronger password policies.