Azure Directory Monitor
On your endpoint devices, the Suspicious Event Monitor and Active Directory Monitor can provide early warning of attempts to compromise your devices by alerting you to attempts to create new accounts, access existing accounts, or increase the permissions of existing accounts. The Azure Directory Monitor app provides similar protection for your cloud-based activities. This app pulls the Azure Active Directory events for all your customers, and displays similar information in an aggregate fashion so you can see all your clients at once
What to Look At in Results
If you are looking at an app result for this app, you see a whole bunch of data. First, look at what is happening and whether it was successful. An activity like
Update device is bound to happen in a real-life workplace. But if there are a string of failures to update devices, something is wrong. This could be a malicious actor trying to change settings without the proper credentials, or we may have just shown you a misconfiguration that would have cost a lot if you didn't notice.
Secondly, if there is a Target Resources section, look at what values were changed, and what they were changed to (i.e. "New Value").
When to Be Scared
MSPs have different clients and each operate with a slightly different definition of "normal". It may be that you work with a temp agency and accounts are constantly being created and deleted. On the other hand, you may work with a series of dentists' offices who never hire anyone new. In general, repeated failures in user accounts can be a sign that someone is trying to change things who really shouldn't.
Make sure you keep track of what accounts are being changed. Any changes to admin accounts or accounts gaining privileges should be something you recognize, or there could be a problem.
When to Not Be Scared
This app monitors directory events. There will be events that make it onto this list from any operating business. Just because you have 20 app results the first day does not mean you are under attack.
Look at the results, if they were simply known employees using their Microsoft Office accounts, you don't need to be worried.