This analytic rule is designed to detect successful authentication events to Azure Active Directory (Azure AD) that utilize PowerShell cmdlets, specifically focusing on instances where the appDisplayName indicates the use of "Microsoft Azure PowerShell." The rule is triggered by successful logins recorded in the Azure AD SignInLogs, which are analyzed to identify potential unauthorized access attempts, especially from non-administrative accounts. Given that the use of PowerShell for authentication is uncommon among typical users, its detection may point toward malicious activities such as enumeration and discovery by attackers. In such cases, attackers could exploit this access to gather information about the Azure environment and possibly escalate their privileges further, leading to severe security risks. The rule outputs captured data including the source IP of the request, user agent, and timestamps to understand the context of the authentication events better.