Stop Impossible Travel at Sign-In: Entra's New Require Risk Remediation Control
TL;DR
- Risk-based Conditional Access policies in Entra ID block compromised sign-ins automatically, even when the attacker holds valid credentials or an active session.
- Entra evaluates two distinct signals: sign-in risk for the individual authentication attempt, and user risk for whether the account itself is likely compromised.
- Risk-based access policies require Entra ID P2, included in Microsoft E5 or available through the Defender Suite add-on for Business Premium.
- Microsoft's new Require risk remediation control consolidates several security actions into a single Conditional Access setting, in preview as of January 2026.
- Hard blocks on high-risk sign-ins need an SOP for false positives, because traveling executives do get caught by them.
The dangerous part of an account compromise is rarely the login itself. It is the hours, sometimes days, between that login and anyone noticing. During that window the attacker is reading email, walking through SharePoint, sitting in Teams, all with valid credentials and zero alerts that anyone is acting on.
Picture the textbook case: a CFO signs into Microsoft 365 from Denver, and two minutes later there is another successful login from Eastern Europe. No VPN, no approved travel, no reasonable explanation. That is impossible travel, and it almost always means the account is compromised.
With risk-based access policies in Microsoft Entra ID, that second login gets blocked automatically before the attacker ever opens a file, even with real user credentials or an active session in hand. This post covers how Entra detects and scores risk, what Microsoft's new risk remediation option in Conditional Access changes, and how to implement the protection in your tenant.
Where Entra's risk signal comes from

Microsoft processes billions of sign-ins across all tenants every day. That global telemetry feeds machine learning models built to spot risky behavior: sign-ins from known malicious IP addresses, anonymous networks, suspicious devices, and unusual geographic patterns.
At the tenant level, Entra builds a behavioral profile per user: typical sign-in locations, usual devices, preferred browsers, historical activity patterns. When a sign-in deviates from that baseline, Entra evaluates the event and assigns a risk level.
Deviation alone is not a verdict. A user signing in from Boise eight hours after signing in from Denver could be legitimate and may rate as low risk. A user signing in from Tokyo minutes after signing in from Colorado is physically impossible and rates high.

Microsoft does not publish the exact scoring logic, and that opacity is intentional. Revealing the calculation methods would hand attackers the recipe for staying under the thresholds.
Two risk types, one enforcement engine
Entra evaluates identity risk along two axes, and the distinction matters when you write policies.
Sign-in risk scores the individual authentication attempt: impossible travel, sign-ins from known malicious infrastructure, anonymous proxy usage.
User risk scores the account itself, asking whether multiple correlated events over time suggest the identity is compromised.
Both feed directly into Conditional Access, which is the point: the platform takes automated action without waiting on alerts, tickets, or a human investigation.
The licensing gate, and the cheaper way through it
Risk-based access policies require advanced identity protection, which means Entra ID P2. That ships inside Microsoft E5, and it is also available through the Microsoft Defender Suite add-on for Business Premium.
For many small and mid-sized organizations, the Defender Suite add-on is significantly more cost effective than an E5 migration. In our experience it is also the easier conversation, especially at renewal time or in the weeks after a security incident, when budget conversations move quickly.
Building the baseline policy
Once licensed, configuration lives in Microsoft Entra ID under Conditional Access. Microsoft provides policy templates, though many organizations build custom policies for clarity and control.

The recommended starting point is a policy that blocks high-risk sign-ins:
- Apply to all users, excluding emergency access accounts
- Target all cloud apps
- Set the condition to sign-in risk: high
- Set the access control to block
What the new Require risk remediation option adds
Microsoft recently introduced Require risk remediation (opens in new tab), a new Conditional Access control that consolidates several security actions into a single setting. Instead of choosing between a hard block and separate password or session controls, the policy can require the risk be remediated as the condition of access.


Plan for the false positive before it pages you
If you choose to block access rather than reset passwords and sessions, implement it thoughtfully. There are real-world cases of executives traveling internationally getting blocked on false positives, with time zone differences delaying the response and business operations taking the hit.
Going more restrictive is often the right call. Just pair it with standard operating procedures for false positives, so the 2 a.m. blocked-CEO scenario has a runbook instead of a scramble.
Frequently asked questions
What license do you need for risk-based Conditional Access?
Entra ID P2, which is bundled with Microsoft E5 and also available through the Microsoft Defender Suite add-on for Business Premium. For many small and mid-sized organizations, the add-on is significantly more cost effective than moving to E5 and an easier conversation at renewal or after an incident.
Should the policy block access or require remediation?
Blocking is the stronger control and the right starting point for high-risk sign-ins, but it carries a false positive cost. The new Require risk remediation option lets the user self-remediate through actions like a secure password reset instead of waiting on an admin, which keeps legitimate users moving.
Why does Microsoft not publish how risk scores are calculated?
Deliberately. Publishing the scoring logic would tell attackers exactly what to avoid to slip under the thresholds, so the calculation methods stay opaque.
Is risk-based access actually deployed in every tenant you manage?
Conditional Access gaps are exactly the kind of control that passes in one tenant and is missing in the next ten. CloudCapsule checks 250+ controls per tenant in 60 seconds, risk policies included, and hands you the remediation steps.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


