And how exactly do you expect Azure AD to know the physical location of the user? The IP from which the attempt originates is used to determine the location, if he uses VPN to change the address, Azure AD will detect it, correctly. If you don't want this to happen, exclude the user from the policy.
User Risk policy and sign in risk policy-false positive
we have found many false positive on user risk and sign in risk.
For eg: one user has installed VPN client on his/her machine and connect to office 365 or azure from that location. User still in usa but VPN client points to Australia location. Azure AD dectected as High Risk user. If we enable the user risk policy, it will force the user to change the password based on the risk...what will happen when the user changed to another location in VPN it will again considered as Risk it will force the password change
For us, it is false positive since user is not physically on that location only he is changing the VPN client