Daily, I receive notifications on suspicious sessions that were detected in our organization. What is concerning is that often some of these accounts were recently created. I have MFA enabled and conditional access, so they suspicious activity of itself is not concerning (they are all denied). What is concerning is how are people (hackers/bots/etc.) getting these accounts and attempting access? Especially accounts that are recently created. There have been times that an account had this notification and was just created within days. In the old days, that would be a flag that a port is open that was allowing access to listing user accounts but in Azure, one would think that is not the case. Is there something I need to tighten up to prevent these?
I'm afraid that is too broad of a question to be answered in this MDCA product-specific forum. If you need help diagnosing the alerts and what is causing them, you can contact support. Also, if you suspect you may have a compromise, you can also use Microsoft support to help respond to the incident.