Skip to Content

Why Sign-In Risk ≠ User Risk (And How MSPs Get Burned by Confusing Them)

January 19, 2026 by
Jaspreet Singh

person using laptop computer beside aloe vera

Why Sign-In Risk ≠ User Risk (And How MSPs Get Burned by Confusing Them)


As MSPs, we see this all the time.

A security alert fires:

“High sign-in risk detected.

”The reaction?

  • Panic
  • Account lockout
  • Password reset
  • Angry client email

And most of the time… nothing was actually compromised.

The problem isn’t the alert.

The problem is treating sign-in risk and user risk as the same thing.

They are not the same, and mixing them up leads to outages, support problems, and liability for MSPs.

Sign-In Risk: A Single Event, Not a Breach

Sign-in risk is about one login attempt. (Cybersecurity Risk - Glossary, n.d.)It answers one question:

“Did this login look suspicious?

”Triggers include:

  • Travel-related anomalies
  • VPN or proxy usage
  • New devices or locations
  • IPs with a bad reputation

For MSPs, this usually means:

  • Executives traveling
  • Users working remotely
  • Clients using consumer VPNs
  • Staff logging in from hotels or airports

A high sign-in risk does not necessarily mean the account is compromised.

It means the login should be challenged, not shut down.

User Risk: When the Account Itself Is in Trouble

User risk is much more serious.

It looks at identity over time, not at a single event. (Risky Sign-Ins vs Risky Users Conditional Access Policies, 2025)User risk increases when Microsoft detects:

  • Credentials found in breach dumps
  • Verified account compromise
  • Repeated risky sign-ins
  • Token abuse patterns (What are risk detections? - Microsoft Entra ID Protection | Microsoft Learn, 2023)

From an MSP perspective, this is where:

  • Legal exposure starts
  • Incident response is required
  • Clients expect immediate action

High user risk means:

  • Password reset is non-negotiable
  • Sessions must be revoked
  • Investigation must begin

Where MSPs Get Into Trouble

Overreacting to Sign-In Risk

When MSPs block users or force password resets on every risky sign-in:

  • Execs lose access mid-travel
  • MFA fatigue skyrockets
  • Helpdesk tickets pile up
  • Clients blame you, not Microsoft (Weinert, 2022)

Underreacting to User Risk

When user risk alerts are ignored or delayed:

  • Attackers keep valid sessions
  • Tokens remain active
  • Breaches go undetected
  • MSPs own the fallout (MSPs combat breaches with cybersecurity alerts, 2023)

Both situations are bad. One annoys clients, and the other can get you fired.

The Correct MSP Approach

Sign-in risk should trigger friction, not failure.

  • Require MFA
  • Step-up authentication
  • Monitor the session

User risk should trigger containment.

  • Force password reset
  • Revoke tokens
  • Investigate immediately

This distinction reduces:

  • False positives
  • Client frustration
  • After-hours emergencies

And it shows clients you understand identity security, not just how to respond to alerts.

Conditional Access: Where Policy Design Makes or Breaks You

Bad MSP design:

  • One policy
  • One reaction
  • Everything blocked

Good MSP design:

  • Separate policies
  • Clear remediation paths
  • Documented response playbooks

Clients don’t care about “risk signals.”

They care about:

  • Uptime
  • Security
  • Trust

Your policies should reflect that.

The Business Impact MSPs Forget

Every unnecessary lockout:

  • Costs support time
  • Erodes client confidence
  • Trains users to hate security

Every missed user-risk alert:

  • Increases breach likelihood
  • Increases liability
  • Puts contracts at risk (Tavarez, 2024)

Understanding this difference is not just a bonus.

It’s core MSP risk management.

Final Takeaway for MSPs

Sign-in risk = suspicious login
User risk = potentially compromised account

Treat them differently or pay for it later.

The best MSPs do more than just deploy security tools.

They interpret signals correctly and act with precision.


Jaspreet Singh — Author at MSPinsights.ca | Founder & CEO, Accelerate IT Services Inc.

References

(n.d.). Cybersecurity Risk - Glossary. NIST Computer Security Resource Center. https://csrc.nist.gov/glossary/term/cybersecurity_risk

(2025). Risky Sign-Ins vs Risky Users Conditional Access Policies. TechDocWeb.com. https://techdocweb.com/2025/09/25/sign-in-risk-vs-user-risk-in-entra-conditional-access/

(2023). What are risk detections? - Microsoft Entra ID Protection | Microsoft Learn. Microsoft Learn. https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks

Weinert, A. (2022). Defend your users from MFA fatigue attacks. Microsoft Entra Blog. https://techcommunity.microsoft.com/blog/microsoft-entra-blog/defend-your-users-from-mfa-fatigue-attacks/2365677

(September 14, 2023). MSPs combat breaches with cybersecurity alerts. Security News. https://www.sourcesecurity.com/news/security-alerts-msps-combat-cyber-risks-co-1730704089-ga.1732257834.html

Tavarez, G. (June 5, 2024). Uninvestigated Cloud Alerts Put Nearly 90% of Businesses at Risk. MSP TODAY NEWS. https://www.msptoday.com/topics/msp-today/articles/459772-uninvestigated-cloud-alerts-put-nearly-90-businesses-risk.htm

Jaspreet Singh January 19, 2026
Share this post
Tags
Archive
How Session Cookies Bypass MFA Entirely (And Why “MFA Enabled” Is No Longer Enough for MSPs)