1.2 million Azure Active Directory accounts are compromised every month. We must remember that users can still perform high-risk actions in the cloud, and those accounts can easily be compromised with COVID-19 or other phishing scams [? du ?] [? jour. ?]
Here are my five top security events to monitor. First, hybrid logins-- you want to monitor suspicious, repeat, or mass failed logins in your Azure Active Directory because that may signal a brute force attack. Second, as your Active Directory users and group changes, this will help you find attackers that are attempting to elevate permissions. Third, Azure Active Directory tenant-level configuration and role changes.
Fourth, mailbox access by non-owner. This is a big one to monitor because of those COVID-19 phishing scams. You want to see if forwarding is set up on a mailbox. You want to see if someone has changed permissions on a mailbox. Number five, monitor for file sharing especially for files that have been shared externally through SharePoint, through OneDrive, through Teams, because you want to stop sensitive data exposure.
You can find these events and five more in the e-book The Top 10 Security Events to Monitor in Azure Active Directory and Office 365.