Rule Suspicious Entra ID OAuth User Impersonation Scope Detected (9563dace-5822-11f0-b1d3-f661ea17fbcd) needs tuned to ignore first-party clients generated FPs. These clients are commonly observed using OAuth tokens with user_impersonation scopes for OBO workflows. Additionally, we need to ignore when conditional access policies (CAPs) are successfully applied and the auth is successful. This suggests that additional requirements and auth enforcements were applied to the sign-in and all necessary requirements were fullfilled (less likely to be stolen creds but susceptible to AiTM). We can ignore PKeyAuth/1.0 FPs as well. This is likely OAuth auth requests performed by MSAL and assumes PKeyAuth challenge is completed and handled fine between the client and Entra ID (IdP) common for registered/compliant devices. Ignoring mobile here as well with Ios* and Android, as these are specific to mobile auth, likely for dedicated mobile apps such M365, Office, etc.

Additionally, adding investigation fields and adjusting the name of the rule. Telemetry wise, tunings should reduce overall FP volume by 88% (based on 30 day analysis) but still capture TeamFiltration signals.