Risk-based Conditional Access extends Conditional Access signals.
Sign-in risk-based Conditional Access identifies when an authentication request is of a higher risk due to location change with impossible travel, coming from an anonymous IP address such as Tor or VPN, atypical travel, malware linked IP address and more.
User risk-based Conditional Access identifies when user credentials have been leaked or Azure AD threat intelligence identifies higher user risk because of known attack patterns.