The detection rule monitors changes to the OpenID Connect (OIDC) discovery URL in Entra ID's Authentication Methods Policy. Such changes could signify an attempt by attackers to link Entra ID with a malicious identity provider (IdP), which could allow them to bypass multi-factor authentication (MFA) and unauthorized access to accounts through bring-your-own IdP (BYOIDP) methods. The rule captures events when the discovery URL is updated and checks for discrepancies between the old and new URLs to identify potential compromise. If a change is flagged, it enables further investigations into the action's origin and the nature of the new IdP.