One thing I've bugged our Microsoft representation for is a setting to allow tenant admins to set policies to notify end users when rare security events happen - i.e. someone added an MFA token to their account.  Not sure the right place to do this - via email or via Authenticator, but you could also capture the user response (i.e. click "do not recognize if you did not perform this action").  I can't think of other events that you'd want to do this with other than perhaps really egregious impossible travel events.