Use IP Allowlisting to enforce zero trust policies for specific SaaS Applications integrated with Entra ID

Use Named Locations and Conditional Access policies in Azure AD to ensure use of a Service Tunnel when authenticating to a SaaS Application like O365

  • Updated on Jan 14, 2025
  • 5 minutes to read
  • Contributors

Overview

This guide explains how to use Named Locations and Conditional Access policies in Entra ID to require that end users have Service Tunnel for authenticating to specific SaaS application(s). In the steps below, we use Office 365 as the example application.

Steps

Step 1: Register a Service Tunnel for Public Domains

1.1 Register a Service Tunnel for Public Domains.

1.2 Configure the Service Tunnel to include the relevant Entra ID domain used for authentication (e.g. login.microsoftonline.com, login.live.com) and the account data list of domains. Refer to Microsoft’s website for additional information on Entra ID portal authentication domains and account data domains.

Step 2: Create a named location to use in a Conditional Access policy

2.1 In the Microsoft Entra admin center, navigate from Azure Active Directory > Protect & Security > Conditional Access > Named locations, and select + IP ranges location.

2.2 Enter a name (e.g., Service Tunnel) and the IP address(es) of the relevant Access Tiers.

Step 3: Create a Conditional Access policy and assign the location condition

3.1 Navigate from Azure Active Directory > Protect & Security > Conditional Access, and select Create new policy.

3.2 Enter a name for the policy and include the following configurations:

  • Assignments:

    • Cloud apps or actions - Select the relevant application(s) that you want to require a Service Tunnel to be registered for before authenticating to specific SaaS application(s) (e.g., Office 365).
  • Conditions:

    • Locations - Set Configure to Yes, and Exclude the location(s) defined in Step 2.
  • Access Controls:

    • Grant - Set to Block access.

3.3 Enable the policy, and Save.

Expected Behaviour

If the user DOES NOT have the Service Tunnel connection established, the user will receive an error message indicating that they cannot access the resource (see below). The user(s) must have the relevant Service Tunnel connection established in order to access the resource (e.g., Office 365).