This rule detects Microsoft Entra ID sign-in activity where the Microsoft Authentication Broker invokes the Device Registration Service from a source ASN commonly associated with VPNs, residential proxies, or hosting egress. It triggers when an azure.signinlogs event with action Sign-in activity shows app_display_name as "Microsoft Authentication Broker" and resource_display_name as "Device Registration Service", and the source ASN matches a predefined list linked to OAuth phishing and adversary-in-the-middle device registration flows. The pattern can indicate device enrollment or primary refresh token acquisition initiated from attacker-controlled infrastructure after user authentication. The rule maps to MITRE ATT&CK techniques related to persistence (Device Registration, T1098.005), initial access (Spearphishing Link, T1566.002), and defense evasion (Application Access Token, T1550.001). It is assigned a high severity with a risk score of 73. False positives include legitimate device joins from corporate or consumer VPNs and bulk provisioning from approved networks. Investigations should correlate session activity, review device enrollment context, and verify ASN legitimacy against approved networks.