X1000 Azure Accounts Fresh.txt -

Use the built-in security reports in Microsoft Entra ID Protection to identify anomalies:

Azure identity & access security best practices - Microsoft Learn x1000 Azure accounts fresh.txt

Force a password reset for any account suspected of exposure. Do not reuse old passwords, and ensure the new ones meet strong complexity requirements. Use the built-in security reports in Microsoft Entra

Once immediate threats are mitigated, follow this guide to perform a deep-dive investigation: especially those with high privileges.

Immediately revoke existing refresh tokens and active sessions for the affected users to prevent attackers from maintaining access via stolen tokens.

99% of identity-based attacks can be stopped by enabling MFA. Use Microsoft Entra ID to require MFA for all users, especially those with high privileges.