Imagine this scenario.
Your CFO signs into Microsoft 365 from Denver.
Two minutes later, there is another successful login. This time it is from Eastern Europe.
No VPN.
No approved travel.
No reasonable explanation.
That is impossible travel and it almost always means the account is compromised.
What makes this more concerning is not just the attack itself. In most organizations, this activity would not be detected for hours or even days. During that window, the attacker could already be inside email, SharePoint, Teams, and other sensitive systems.
With risk based access policies in Microsoft Entra ID, that second login attempt is automatically blocked before the attacker ever accesses a single file. This happens even if they are using the real user credentials or an active session.
In this post, we will walk through how Entra detects risky activities, how Microsoft assigns risk, what is new with risk remediation in Conditional Access, and how to implement these protections in your tenant.
Microsoft processes billions of sign ins across all tenants every day. That global telemetry feeds machine learning models designed to identify risky behavior such as sign ins from known malicious IP addresses, anonymous networks, suspicious devices, and unusual geographic patterns.
At the tenant level, Entra builds a behavioral profile for each user. This includes their typical sign in locations, the devices they normally use, the browsers they prefer, and their historical activity patterns.
When a sign in deviates from that baseline, Entra evaluates the event and assigns a risk level.
Not every unfamiliar sign in is malicious. For example, a user signing in from Boise after signing in from Denver eight hours earlier could still be legitimate and may be classified as low risk. A user signing in from Tokyo minutes after signing in from Colorado is not physically possible and is classified as high risk.
Microsoft does not publish the exact scoring logic behind these determinations. This is intentional. Revealing the calculation methods would make it easier for attackers to bypass the system.
Entra evaluates identity risk in two primary ways.
Sign in risk focuses on the individual authentication attempt. Examples include impossible travel, sign ins from known malicious infrastructure, and anonymous proxy usage.
User risk evaluates whether the account itself is likely compromised based on multiple correlated events over time.
Both risk types integrate directly with Conditional Access. This allows the platform to take automated action without relying on alerts, tickets, or manual investigation.
Risk based access policies require advanced identity protection capabilities. These features are included with Entra ID Plan Two, which is bundled with Microsoft E5. They are also available through the Microsoft Defender Suite add on for Business Premium.
For many small and mid sized organizations, the Defender Suite add on is significantly more cost effective than moving to E5. It is often an easier conversation during renewal cycles or after a security incident.
Once licensed, configuration happens in Microsoft Entra ID under Conditional Access.
Microsoft provides policy templates, but many organizations prefer to build custom policies for clarity and control.
A recommended starting point is a policy that blocks high risk sign ins. This policy applies to all users except emergency access accounts. It targets all cloud apps. The condition is sign in risk set to high. The access control blocks access.
Microsoft recently introduced a new option called Require risk remediation. This feature consolidates several security actions into a single control:
If you chose to block access instead of resetting passwords/sessions, you must implement thoughtfully.
There are real world cases where executives traveling internationally were blocked due to false positives. Time zone differences delayed response. Business operations were temporarily impacted. So if you do go more restrictive, ensure you have SOPs in place to account for false-positives accordingly.