This analytic rule detects the addition of a new federated domain in an Azure Active Directory (AD) environment by monitoring Azure AD Audit Logs for "Set domain authentication" operations. Identifying such activities is crucial as it can indicate an attempt by an attacker to establish a backdoor using Azure AD identity federation techniques. If successful, this could allow the adversary to impersonate any user within the organization, bypass traditional authentication methods, and potentially gain unauthorized access to sensitive resources within the Azure AD environment. The rule aggregates data by user, domain, result, and operation name, providing an overview of the nature of changes made in the system.