One of my favorite reasons for using Azure Active Directory (AAD), the same piece of technological wonder which powers the dictionary of usernames and passwords from your Office365 tenant is the Risky Sign-Ins feature.
Basically, by checking login locations and originating IP Addresses for all your directory’s users throughout the world and reverse geocode them to physical addresses in [near?]-real-time, AAD is capable of notifying you when a user’s set of credentials is being used in a potentially fraudulent manner.
Take a look at this example: because I’ve signed in at 10:21PM from Iasi, Romania and 7 minutes later from Dublin (you all know where Dublin is), which are over 3.000 km apart, AAD has auto-magically sent all the notifications which I’ve agreed to, in order to let me know that someone is using my credentials somewhere too far away for it to be a legitimate login; see the ‘Impossible travel to atypical locations‘ blade title? That pretty much says it all.
Truth be told, this is a forced example where I’ve used a secure VPN connection vs. a hotel’s WiFi connection (yikes!) using a directory external user (m**********@outlook.com).
However, if you’re an AAD Premium edition user, you also get aggregated information about the risk event type. This gives you the option of configuring the user risk remediation policy (linked here), which might include the option of resetting the user’s password out-of-the-box. How cool is that?
If you want to learn more, head over to https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-security-risky-sign-ins.