Hi Kathy,
1) Azure Bastion has various metrics that are available by default.
https://learn.microsoft.com/en-us/azure/bastion/howto-metrics-monitor-alert#about-metrics
Additionally, Diagnostics logging can be enable for audit logs and have the data sent to things like Storage Account/Log workspace. https://learn.microsoft.com/en-us/azure/bastion/diagnostic-logs
2) Azure AD PIM feature which allows just-in-time/time bound privileged role management could potentially help.
(This feature requires AAD P2 License)
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
3) Azure roles can be assigned to on-prem AD (Synced to AAD) Groups. If you mean "Azure AD Roles", those cant be assigned to AD Groups, only to AAD Groups as you mentioned (and I dont think it allows on-prem AD Group as a member of such group enabled for role assignment). As per this announcement which is an year old, we will add the feature in the future.
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/assigning-groups-to-azure-ad-roles-is-now-in-public-preview/ba-p/1257372