Start by tapping into Office 365 Audit Logs. Flip on unified audit logging, and send those logs straight to your SIEM or log analytics platform. Craft an alert for "User signed in to mailbox" with a previously blocked account as your target. This signals that a once-restricted account is now in action.
Now, shift gears to Azure Active Directory Sign-In Logs. Stream these logs to your SIEM or analytics platform and set up an alert for any sign-in attempts from a previously blocked account. A fresh sign-in event points to the block being lifted.
For some automation finesse, consider Power Automate. Set up a flow on a schedule, keeping an eye on the BlockCredential status of those high-risk accounts. If there's a shift from True to False, trigger an email or Teams alert to keep administrators in the loop.
Remember, the key here is comparing the current state with a known blocked state to catch any changes. And don't forget to log and alert on admin actions, like unblocking an account
