Detects successful Microsoft Entra ID (Azure AD) device registration events that indicate an Azure AD join but come with a userAgent string that does not match common native provisioning clients (Dsreg, DeviceRegistrationClient, or Dalvik-based enrollment). Legitimate Windows and mobile enrollment often use predictable user agents; unexpected clients can indicate scripted enrollment, third‑party tooling, or adversary‑driven device registration used for persistence or token abuse. The rule cross-references the azure.auditlogs dataset, focusing on the Register device event with an Azure AD join detail, and excludes well-known enrollment clients. It surfaces context for investigation (initiator user, IP, device name, correlation id) and maps to MITRE ATT&CK persistence technique T1098.005 (Device Registration). It supports tuning with baseline provisioning tools and ongoing enrollment clients, and recommends responses ranging from credential/token revocation and device removal to tightening Conditional Access and device compliance controls. Investigation focus includes validating user intent, correlating with risk signals in signin logs, and checking for other Register device events from the same IP or userAgent across the tenant. The rule is designed to reduce noise from legitimate enrollments while identifying potentially malicious or unauthenticated device registration activity.