@rp Thanks for reaching out. With a large set of work that AAD does, tracking sign-in usage of end users is one of them. While many of them can be normal and expected due to multiple services login in short time, if you think that there is some malicious entry of sign in attempt or something which does not match the pattern, you should investigate it more closely with the help of end user.
We do provide Sign-In reports which captures multiple information regarding a particular sign in like :
The sign-in date
The related user
The application the user has signed in to
The sign-in status
The status of the risk detection
As a precaution to allow only verified users, MFA can be enabled to increase the security. Followed by changing passwords for end user in order to mitigate any further risk, if found compromised. If you need any more help, please let us know.
-----------------------------------------------------------------------------------------------------------------
If the suggested response helped you resolve your issue, do click on "Mark as Answer" and "Up-Vote" for the answer that helped you for benefit of the community.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 73%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 0%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVM%3C/text%3E%3C/svg%3E)