This anomaly detection identifies the installation of Azure AD and cloud-management PowerShell modules through Windows PowerShell Script Block Logging (Event ID 4104). It scans ScriptBlockText for Install-Module commands targeting Azure AD-related modules (AADInternals, AzureAD, MSOnline, Az.Resources). These modules grant extensive access to Azure Active Directory objects, user accounts, service principals, and tenant configurations, making them high-value targets for adversaries conducting reconnaissance, privilege escalation, or persistence after compromise. The rule relies on endpoint telemetry ingested by EDR agents and normalized to the CIM Endpoint model. It aggregates key fields (Computer, EventID, ScriptBlockText, etc.) to identify suspicious module installation activity and correlates with the Splunk content framework. Known false positives arise from legitimate administrators installing modules for legitimate Azure management tasks; filtering by user role, time, and approved change windows is recommended. Drilldown searches enable per-user and per-destination inspection and risk assessment over the last 7 days, with an initial risk scoring (dest assigned a baseline risk of 50) to trigger deeper review. The detection maps to ATT&CK techniques related to credential access, privilege escalation, and account discovery, and is designed to prompt security operators to inspect potential post-compromise activity around Azure identities and access.