diff --git a/rules/azure/initial_access_azure_active_directory_high_risk_signin.toml b/rules/azure/initial_access_azure_active_directory_high_risk_signin.toml
new file mode 100644
index 000000000..e30928ef5
--- /dev/null
+++ b/rules/azure/initial_access_azure_active_directory_high_risk_signin.toml
@@ -0,0 +1,50 @@
+[metadata]
+creation_date = "2021/01/04"
+maturity = "production"
+updated_date = "2021/01/04"
+
+[rule]
+author = ["Elastic", "Willem D'Haese"]
+description = """
+Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft's Identity Protection machine learning
+and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not
+provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is
+compromised.
+"""
+from = "now-25m"
+index = ["filebeat-*", "logs-azure.*"]
+language = "kuery"
+license = "Elastic License"
+name = "Azure Active Directory High Risk Sign-in"
+note = "The Azure Fleet Integration or Filebeat module must be enabled to use this rule."
+references = [
+    "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk",
+    "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection",
+    "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk",
+]
+risk_score = 73
+rule_id = "37994bca-0611-4500-ab67-5588afe73b77"
+severity = "high"
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
+type = "query"
+
+query = '''
+event.dataset:azure.signinlogs and
+  azure.signinlogs.properties.risk_level_during_signin:high and
+  event.outcome:(success or Success)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+