diff --git a/rules/cloud/azure/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml b/rules/cloud/azure/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml
new file mode 100644
index 000000000..d8a495a7d
--- /dev/null
+++ b/rules/cloud/azure/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml
@@ -0,0 +1,24 @@
+title: Suspicious SignIns From A Non Registered Device
+id: 572b12d4-9062-11ed-a1eb-0242ac120002
+status: experimental
+description: Detects risky authencaition from a non AD registered device without MFA being required.
+references:
+    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in
+author: Harjot Singh, '@cyb3rjy0t'
+date: 2023/01/10
+tags:
+    - attack.defense_evasion
+    - attack.t1078
+logsource:
+    product: azure
+    service: signinlogs
+detection:
+    selection:
+        Status: 'Success'
+        AuthenticationRequirement: 'singleFactorAuthentication'
+        DeviceDetail.trusttype: ''
+        RiskState: 'atRisk'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high