This detection rule is designed to alert on the usage of legacy authentication protocols across accounts in an Azure environment. Legacy authentication methods such as IMAP, POP3, MAPI, SMTP, and Exchange ActiveSync pose significant security risks as they typically do not support multi-factor authentication and are often targeted by attackers to compromise user accounts. The rule specifically monitors sign-in logs where the account is authenticated using any of these non-modern authentication methods. By examining the sign-in logs for accounts using these legacy client applications, the alert will trigger whenever any account utilizes these outdated protocols, indicating a potential vulnerability or instance of unauthorized access. The detection condition is straightforward, confirming if a detected sign-in is from a known legacy client while ensuring that the activity is classified under sign-ins, with the user's principal name (UPN) being tracked. Effectively, the objective is to enhance security posture by limiting the use of insecure authentication methods.