Any suspicious activity performed by the user. It could be signing in from different locations, or maybe accessing certain shares after logging in.
We may need to whitelist some service accounts depending on our needs.
Example: In one case, I remember that we were trying to do a migration of your file servers to one drive and this was happening from multiple locations. The user account was genuinely used from Japan from New York, as well as certain locations in Germany that in that case that particular service account that was used to do the migration was whitelisted here, was excluded.
Controls -> Block Access | Allows access (in combination with a password change)Controls -> Block Access | Allow access (in combination with MFA)Controls -> Requires MFA registration (for all users)