diff --git a/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml b/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml
new file mode 100644
index 00000000000..7b84d6d44d2
--- /dev/null
+++ b/rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml
@@ -0,0 +1,30 @@
+title: Azure Login Bypassing Conditional Access Policies
+id: 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc
+status: experimental
+description: |
+    Identifies a successful login to the Microsoft Intune Company Portal which could allow
+    bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith
+author: Josh Nickels, Marius Rothenbücher
+references:
+    - https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/
+    - https://github.com/JumpsecLabs/TokenSmith
+date: 2025-01-08
+tags:
+    - attack.defense-evasion
+    - attack.t1078
+logsource:
+    service: audit
+    product: m365
+detection:
+    selection_auth:
+        Operation: 'UserLoggedIn'
+        ApplicationId: '9ba1a5c7-f17a-4de9-a1f1-6178c8d51223'
+        ResultStatus: 'Success'
+        RequestType: 'Cmsi:Cmsi'
+    filter_objectid:
+        ObjectId: '0000000a-0000-0000-c000-000000000000' # Microsoft Intune seen when mobile devices are enrolled
+    condition: selection_auth and not filter_objectid
+falsepositives:
+    - Unknown
+level: high
+