Entra ID: Sign-in vs User Risk Explained

Key insights

• Microsoft Entra ID Protection is a cloud identity‑protection service that feeds risk signals into Conditional Access.
  It detects threats and enables automated responses like MFA or password resets to protect accounts.
• Sign-In Risk evaluates a single authentication attempt for suspicious signals (impossible travel, anonymous IPs, unfamiliar device, leaked credentials).
  Configure sign‑in risk to require MFA or block access in real time for risky sign‑ins.
• User Risk measures the likelihood an account is compromised by aggregating multiple signals over time (repeated risky sign‑ins, dark‑web leaks, malware).
  Use user risk policies to force password reset or require remediation before full access resumes.
• Conditional Access policies must target the right risk type: sign‑in policies act per session, user‑risk policies act on the account level.
  Mixing or misconfiguring them can either leave security gaps or lock out many users.
• Risk scores use low/medium/high tiers.
  Admins should review "Risky sign‑ins" and "Risky users" reports, dismiss false positives, and set thresholds (Microsoft recommends medium/high) to balance security and usability.
• Licensing note: Microsoft Entra ID P2 is required for all risk‑based Conditional Access features (included in E5 or E3 + Entra ID P2 add‑on); this is not covered by Business Premium.
  Also plan to move away from legacy Identity Protection blades before their retirement in October 2026.

Keywords

sign-in risk vs user risk, azure ad sign-in risk, azure ad user risk, identity protection sign-in risk, conditional access user risk, sign-in risk remediation, user risk remediation, difference between sign-in and user risk for admins