This alert identifies attempts from Azure AD users to login using disabled accounts.
MITRE ATT&CK Tactics
Azure Sign-in Logs
SaaS applications remote connections
1. Investigate the account history in Azure AD
2. Investigate the source IP (remote connection) and validate against malicious IP addresses (threat Intelligence list)
3. Consider blocking the source IP address of the remote connection
4. Perform an investigation in Azure Sentinel to understand if same entities are involved in other malicious requests across your Azure environment (entities: IP address, account)