Previously blocked Azure AD accounts becoming active
This alerts is triggered whenever a previously Azure AD account blocked from sign-ins is unblocked.
MITRE ATT&CK Tactics
1. Disable user account.
2. Complete an investigation in Azure Sentinel to understand any access from impacted user account to other internal network systems.
3. Review log history on SignIns and AzureActivity table to find out the adminsitrator who reactivated the user account