Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are looking for advisory on risky signin evaluation and different types of IP range configuration within Microsoft defender and Entra ID.
Please do correct me if this is not the case by responding in the comments section:
- What are differences between these 2 lists? Which one is used as factor in assessing risky sign-in?
Named locations are used by Microsoft Entra security reports to reduce false positives and by Microsoft Entra Conditional Access policies. Named Locations that are marked Trusted or configured in Conditional Access Policies cannot be deleted. Learn more
This is used for evaluating All Azure applications/API access from a certain location or IP and conditional access evaluation.
Cloud Apps IP range are IP address ranges that allow you to tag, categorize, and customize the way logs and alerts are displayed and investigated. Each group of IP ranges can be categorized based on a preset list of IP categories.
Built-in IP address tags and custom IP tags are considered hierarchically. Custom IP tags take precedence over built-in IP tags. For instance, if an IP address is tagged as Risky based on threat intelligence but there's a custom IP tag that identifies it as Corporate, the custom category and tags take precedence.
This is used for evaluating first party or O365/M365 applications from a certain location or IP .
Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.
Thanks,
Akshay Kaushik