Super Contributor

Daily, I receive notifications on suspicious sessions that were detected in our organization. What is concerning is that often some of these accounts were recently created.   I have MFA enabled and conditional access, so they suspicious activity of itself is not concerning (they are all denied).  What is concerning is how are people (hackers/bots/etc.) getting these accounts and attempting access? Especially accounts that are recently created. There have been times that an account had this notification and was just created within days.   In the old days, that would be a flag that a port is open that was allowing access to listing user accounts but in Azure, one would think that is not the case. Is there something I need to tighten up to prevent these?