Identifies successful deployments of high-risk Azure VM extensions by a user principal, which can indicate abuse by privileged Azure RBAC accounts. Extensions such as VMAccess, CustomScriptExtension, RunCommand, DSC, and Microsoft Monitoring Agent can be used to execute arbitrary code, create backdoor accounts, harvest credentials, and establish persistence on Azure Virtual Machines without requiring direct network access. The rule fires on successful write operations to MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE in Azure Activity Logs, filtered by extension resource IDs matching high-risk families and a caller of type User. This provides visibility into potentially unauthorized configuration changes that modify VM state or enable persistence. MITRE ATT&CK mappings include T1098 (Account Manipulation) under Persistence, T1651 (Cloud Administration Command) under Execution, and T1578 (Modify Cloud Compute Infrastructure) with the Create Cloud Instance subtechnique under Defense Evasion/Cloud-focused techniques, reflecting the risk of cloud infrastructure manipulation to maintain access. The rule also supports detection of defense evasion by altering compute resources to facilitate ongoing access.