This rule detects instances where Azure Active Directory (Azure AD) has prevented a user from granting consent to a potentially malicious application. Leveraging Azure AD audit logs, it focuses on user consent actions that resulted in a failure and is specifically looking for cases where the consent was blocked due to the application being marked as 'risky.' The underlying analytics query processes data from the `azure_monitor_aad` source type and extracts relevant details about blocked consent attempts, including the reason for the block and any permissions that the application requested. Monitoring these blocked attempts is essential for early threat detection, indicating potential targeting of users or malicious activity attempting to gain unauthorized access to organizational data. If any applications are confirmed as malicious, the detection serves as a crucial warning to security teams to investigate and mitigate risks to the organization.