This detection rule identifies infrequent occurrences of OAuth workflows involving user principals that are single-factor authenticated, specifically targeting the use of the 'user_impersonation' OAuth scope. Such attempts may suggest unauthorized access to user accounts, particularly if the sign-in session is unbound, indicating that the session lacks a specific device association. The rule targets sign-ins that involve an AzureAD token issuer and flags any user principal that has not been active within the last 10 days, as this may indicate suspicious activity or potential account compromise. The investigation process should focus on analyzing various attributes in the sign-in logs, including the OAuth scope, authentication requirement, application involved, and the source of the sign-in attempt to uncover legitimate or malicious activities. Additionally, organizations should remain attentive to the nuances of legitimate applications using user impersonation within the OAuth framework and respond effectively to confirmed malicious workflows.