Flag logins by irregular/distant IP?

There are some useful https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-azure-portal available for Office 365 customers, as well as more detailed information for those customers with Azure AD Premium. 

I am in an E3 tenant with no add-ons and I get these reports - 

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-security-risky-sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.  Known IP address ranges can be added to define which locations are trusted. 

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-security-user-at-risk - A risky user is an indicator for a user account that might have been compromised. 

These reports should flag suspicious logins like what you have described. For Azure AD Premium customers, there are more options like a https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection#user-risk-security-policy which can block access for example.