Why Sign-In Risk ≠ User Risk (And Why That Matters)
Most people see a “High sign-in risk” alert and assume one thing:
“This user is compromised.” That assumption is wrong, and it can lead to poor security decisions.
Let’s clear this up.
Sign-in risk and user risk are different. Treating them as the same can lock out legitimate users or let real attacks go unnoticed.
What Sign-In Risk Actually Means
Sign-in risk is event-based.
It evaluates one specific authentication attempt.
Microsoft looks at signals like:
- Impossible travel
- Anonymous IPs
- Tor or proxy usage
- Suspicious token activity
- Malware-linked IP addresses (What are risk detections? - Microsoft Entra ID Protection | Microsoft Learn, 2023)
The question being asked is:
“Was this login attempt risky?
”A high sign-in risk does not always mean the account is compromised.
It simply means something about this login seemed unusual.
Example:
- User signs in from a hotel Wi-Fi
- Uses a VPN
- Logs in from a new country
- Triggers unfamiliar sign-in patterns
Result: High sign-in risk
Reality: Perfectly legitimate user
What User Risk Really Means
User risk is identity-based.
It evaluates the likelihood that the account itself is compromised.
Microsoft increases user risk when it detects:
- Leaked credentials
- Passwords found in dumps
- Verified account compromise
- Repeated risky sign-ins over time
- Known attacker behavior linked to the account (What are risk detections? - Microsoft Entra ID Protection | Microsoft Learn, 2024)
The question being asked is:“Do we believe this identity has been compromised?”
This situation is much more serious. High user risk usually means:
- Password reset required
- Session revocation
- Token invalidation
- Immediate investigation
Why Confusing the Two Causes Real Problems
Overreacting to Sign-In Risk
If you treat every high sign-in risk as a breach:
- Users get locked out constantly
- MFA fatigue increases
- Helpdesk tickets explode
- Security teams lose credibility
Underreacting to User Risk
If you ignore user risk:
- Attackers keep valid tokens
- Password resets are delayed
- Lateral movement continues
- Breaches stay invisible for weeks
Real-World Example
A user:
- Signs in from Canada in the morning
- Signs in from the US in the afternoon
- Uses a corporate VPN
Sign-in risk: High
User risk: Low Correct response:
- Require MFA
- Allow access if the challenge is passed
- Keep monitoring and stay calm.
Now compare that to:
- Credentials found in a breach
- Tokens used across multiple IPs
- Repeated risky behavior
User risk: High Correct response:
- Force password reset
- Revoke sessions
- Investigate immediately
Same user.
Very different risks.
How This Impacts Conditional Access Design
This is where most environments go wrong.
Bad design:
- Block users based only on sign-in risk
- Force password resets on every risky login
Better design:
- Sign-in risk → MFA or step-up authentication
- User risk → Password reset + session revocation
Microsoft created these signals to work together, not to be used in place of each other.
The Key Takeaway
Sign-in risk answers:
“Was this login suspicious?”
User risk answers:
“Is this identity compromised?”
If you don’t understand the difference, you’ll either:
- Lock out good users
or - Let real attackers stay logged in
Neither is acceptable.
Final Thought
Most breaches today do not start with a password failure.
They start with misinterpreted signals. (Alert classification for password spray attacks - Microsoft Defender XDR, 2026)Understanding risk signals properly is what separates:
- Noisy security from
- Effective security
Written by Jaspreet Singh
Author @ ITBlogs.ca
Engineering labs & identity security research @ f11.ca
References
(2023). What are risk detections? - Microsoft Entra ID Protection | Microsoft Learn. Microsoft Learn. https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks
(2024). What are risk detections? - Microsoft Entra ID Protection | Microsoft Learn. Microsoft Learn. https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks
(2026). Alert classification for password spray attacks - Microsoft Defender XDR. Microsoft Learn. https://learn.microsoft.com/en-us/defender-xdr/alert-classification-password-spray-attack