Sentinel's rules for detection in Azure.

https://github.com/Azure/Azure-Sentinel/tree/master/Detections/AzureActivity

https://github.com/Azure/Azure-Sentinel/tree/master/Detections/AzureAppServices

https://github.com/Azure/Azure-Sentinel/tree/master/Detections/AzureDevOpsAuditing

https://github.com/Azure/Azure-Sentinel/tree/master/Detections/AzureDiagnostics

https://github.com/Azure/Azure-Sentinel/tree/master/Detections/AzureFirewall

"How to Detect Azure Active Directory Backdoors"

https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html

A very good practice is to detect the use of breakglass accounts

https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access