When you have aaccount in your organization that has been hacked or compromised you need to take immediate action to prevent a security dilemma inside of your organization.
For instance when the credentials of a account are compromised. This account can be used for sending out bad emails with malware and even worse skimming. This will result in a bad Image for your company.
Actions against compromised account
When a account is compromised you need to revoke access to this account. You can perform this with a password reset. What most admin do not know is that this change does not kick in straight away. To speed this process up, the best thing to do is run a “Revoke-AzureADUserAllRefreshToken” on the user’s account. (make sure you are using the connect-azuread module)
Now you are sure that this account has a new password and logging in is impossible.
There is a scenario that the account can still send emails to others. In this case the best thing to do is to create a transport rule. The Transport rule can prevent the user to send out malicious emails.
There is also a way to prevent most of these dangers with the implementation of Azure AD identity protection.