I hold an EMS E3 license, which includes only Azure AD P1. I am currently monitoring a high volume of risky user reports. Additionally, I have been examining users meeting the following conditions:
Sign-in Status: Success
Conditional Access: Not applied
Authentication: Single factor
My question is, is this the correct approach to identify unfamiliar features?
Furthermore, I'm seeking ways to reduce the frequency of risky user alerts with the existing license, considering that MFA is already enabled for users. Aside from password reset, what measures can I take to mitigate risky user scenarios?