Azure identity & access security best practices - Microsoft Learn
Immediately revoke existing refresh tokens and active sessions for the affected users to prevent attackers from maintaining access via stolen tokens.
Look for logins from unusual geographic locations or anonymous IP addresses.