This detection rule identifies a potential security incident related to service principals within Microsoft Entra ID, specifically targeting the usage of federated identity credentials. When a service principal authenticates using such credentials for the first time in a specified historical window, it raises a flag for further investigation. The rule is predicated on the understanding that while legitimate CI/CD operations (like those in GitHub Actions or Azure DevOps) may use federated authentication, it also presents opportunities for adversaries to misuse these credentials by configuring rogue identity providers, thus spoofing legitimate applications. The detection leverages Azure's sign-in logs to ascertain the nature of the authentication attempt and requires validation of the identity provider in use during these operations, requiring a thorough investigation of the issuer URLs, app IDs, and associated logs to ascertain legitimacy.