When recently overviewed two key items in Microsoft 365 user (IAM) security: PIM and Conditional Access. Another big part of AAD is the monitoring and response of Risky Users via Azure Active Directory Identity Protection.
Identity Protection comes with AAD P2, ties in with Conditional Access and other Azure services. It monitors and reacts to suspected risks in real time.
Identity Protection is feature rich and has many features and configuration settings (as does PIM and Conditional Access). It takes a bit of time to understand it so start with the basics and get working. As you know more continue to use more of the features and you will see its value more and more.
Study it a bit, make a test plan then enable it with a trial P2 and tie it into your Conditional Access. Let it run your own account and see when happens, you will be surprised.
If you setup MFA with Conditional Access you will have setup a pretty robust security model in less than a days work and for about $9/month per secured account.
Azure Active Directory is feature rich but we find many people are not coming to close to fully using it. It can help greatly improve your Cloud Security with out inconveniencing your users if done right.