diff --git a/rules/cloud/azure/azure_account_lockout.yml b/rules/cloud/azure/azure_account_lockout.yml
new file mode 100644
index 000000000..c2abe63cd
--- /dev/null
+++ b/rules/cloud/azure/azure_account_lockout.yml
@@ -0,0 +1,20 @@
+title: Account Lockout 
+id: 2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a
+status: experimental
+author: AlertIQ
+date: 2021/10/10  
+description: Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
+logsource:
+  service: azure.signinlogs
+detection:
+  selection:
+    ResultType: 50053
+  condition: selection
+level: medium
+falsepositives:
+  - Unknown
+tags:
+  - attack.credential_access
+  - attack.t1110
diff --git a/rules/cloud/azure/azure_change_to_authentication_method.yml b/rules/cloud/azure/azure_change_to_authentication_method.yml
new file mode 100644
index 000000000..a6d43f7dc
--- /dev/null
+++ b/rules/cloud/azure/azure_change_to_authentication_method.yml
@@ -0,0 +1,21 @@
+title: Change to Authentication Method
+id: 4d78a000-ab52-4564-88a5-7ab5242b20c7
+status: experimental
+author: AlertIQ
+date: 2021/10/10  
+description: Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access.
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
+logsource:
+  service: azure.auditlogs
+detection:
+  selection:
+    LoggedByService: 'Authentication Methods'
+    Category: 'UserManagement'
+    OperationName: 'User registered security info'
+  condition: selection
+level: medium
+falsepositives:
+  - Unknown
+tags:
+  - attack.credential_access
diff --git a/rules/cloud/azure/azure_login_to_disabled_account.yml b/rules/cloud/azure/azure_login_to_disabled_account.yml
new file mode 100644
index 000000000..48a1b501b
--- /dev/null
+++ b/rules/cloud/azure/azure_login_to_disabled_account.yml
@@ -0,0 +1,21 @@
+title: Login to Disabled Account
+id: 908655e0-25cf-4ae1-b775-1c8ce9cf43d8
+status: experimental
+author: AlertIQ
+date: 2021/10/10  
+description: Detect failed attempts to sign in to disabled accounts.
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
+logsource:
+  service: azure.signinlogs
+detection:
+  selection:
+    ResultType: 50057
+    ResultDescription: 'User account is disabled. The account has been disabled by an administrator.'
+  condition: selection 
+level: medium
+falsepositives:
+  - Unknown
+tags:
+  - attack.initial_access
+  - attack.t1078
diff --git a/rules/cloud/azure/azure_mfa_interrupted.yml b/rules/cloud/azure/azure_mfa_interrupted.yml
new file mode 100644
index 000000000..22d5e37cb
--- /dev/null
+++ b/rules/cloud/azure/azure_mfa_interrupted.yml
@@ -0,0 +1,24 @@
+title: Multifactor Authentication Interupted
+id: 5496ff55-42ec-4369-81cb-00f417029e25
+status: experimental
+author: AlertIQ
+date: 2021/10/10  
+description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
+logsource:
+  service: azure.signinlogs
+detection:
+  selection:
+    ResultType: 50074
+    ResultDescription|contains: 'Strong Auth required'
+  selection1:
+    ResultType: 500121
+    ResultDescription|contains: 'Authentication failed during strong authentication request'
+  condition: selection or selection1
+level: medium
+falsepositives:
+  - Unknown
+tags:
+  - attack.initial_access
+  - attack.t1078.004
diff --git a/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml b/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml
new file mode 100644
index 000000000..9dff5f2da
--- /dev/null
+++ b/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml
@@ -0,0 +1,20 @@
+title: User Access Blocked by Azure Conditional Access
+id: 9a60e676-26ac-44c3-814b-0c2a8b977adf
+status: experimental
+author: AlertIQ
+date: 2021/10/10  
+description: Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
+logsource:
+  service: azure.signinlogs
+detection:
+  selection:
+    ResultType: 53003
+  condition: selection 
+level: medium
+falsepositives:
+  - Unknown
+tags:
+  - attack.credential_access
+  - attack.t1110