diff --git a/rules/cloud/azure/azure_app_appid_uri_changes.yml b/rules/cloud/azure/azure_app_appid_uri_changes.yml
new file mode 100644
index 000000000..1a765db8c
--- /dev/null
+++ b/rules/cloud/azure/azure_app_appid_uri_changes.yml
@@ -0,0 +1,24 @@
+title: Application AppID Uri Configuration Changes
+id: 1b45b0d1-773f-4f23-aedc-814b759563b1
+description: Detects when a configuration change is made to an applications AppID URI. 
+author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
+date: 2022/06/02
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed
+logsource:
+  product: azure
+  service: auditlogs
+detection:
+  selection:
+    properties.message: 
+      - Update Application
+      - Update Service principal
+  condition: selection
+falsepositives:
+  - When and administrator is making legitmate AppID URI configuration changes to an application. This should be a planned event.
+level: high
+status: experimental
+tags: 
+  - attack.t1528
+  - attack.persistence
+  - attack.credential_access