Azure Active Directory (Azure AD) Identity Protection categorizes risk detections into different levels to help administrators prioritize and automate responses.

• Users with leaked credentials is considered a High risk because it indicates that a user's valid credentials (username and password) have been exposed publicly on the dark web or through a data breach. This means an attacker has the direct ability to access the account, representing a severe and immediate threat.
• Impossible travel to atypical locations is classified as a Medium risk. This detection is triggered when two sign-ins from the same user occur from geographically distant locations in a time frame that is physically impossible. While highly suspicious, it's not rated as high because factors like using VPNs or misconfigured client reporting can sometimes cause false positives.
• Sign ins from IP addresses with suspicious activity is also a Medium risk. This event is triggered when a sign-in originates from an IP address associated with malicious activity, such as botnets or traffic from anonymous proxies (like Tor). This is a strong indicator of a potential attack, but it doesn't definitively prove the specific user's account is compromised, as malicious IP addresses can be part of a shared network.

Microsoft Entra ID Protection Documentation, "What are risk detections?": This official document provides a detailed list of user and sign-in risk detections and their corresponding risk levels.

Leaked credentials is explicitly listed as a user risk detection with a Risk level of High.

Impossible travel is listed as a sign-in risk detection with a Risk level of Medium.

Malicious IP address (the specific detection for "suspicious activity") is listed as a sign-in risk detection with a Risk level of Medium.