Thanks for the reply. What I am really after and I accept that it is beneficial for he on-prem AD is if it will really provide any insight for the user base that is joined to Azure AD.

As the users will always be using Azure AD connected workstations with synchronised accounts. So only time they will have any involvement with on-premise Active Directory is when they do the initial logon to workstations and authenticate through ADFS federated authentication so I am not sure they will have any interaction with on-prem Active Directory to be able to make use of the Azure ATP security events etc. as ATP will only monitor and report against the on-premise AD.

We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE