Adobe Creative Cloud is widely used and trusted across organizations, and it often contains valuable intellectual property and sensitive business information.
It is also accessible from virtually anywhere, making it an ideal target for attackers. Unauthorized access can lead to asset theft, misuse of licensed applications, and data exposure.
Restricting access to only specific IP addresses reduces these risks and ensures only trusted users will be able to log in.
This step-by-step guide will show you how to use Conditional Access policies in Microsoft Entra ID to secure Adobe Creative Cloud, maintaining control without disrupting workflows.
Why you should restrict Adobe Creative Cloud access to specific IP addresses
Restricting access to Adobe Creative Cloud based on IP address protects your creative assets and intellectual property.
By preventing unauthorized logins from unknown locations, attackers will not be able to access your account even with stolen credentials.
This reduces risk of misuse, strengthens your security posture, and helps meet compliance and regulatory standards. Combining IP restrictions with other secure access methods ensures flexibility and protection.
Step-by-step: How to restrict Adobe Creative Cloud access to specific IPs using Conditional Access
The approach uses two components working together:
Named Locations: A saved list of trusted IP addresses or CIDR ranges defined in Entra ID.
Conditional Access policy: A policy that blocks Adobe Creative Cloud sign-ins originating from any IP not on the trusted list.
NOTE: This configuration requires Adobe Creative Cloud to be integrated with Microsoft Entra ID via SAML SSO. If SSO is not yet configured, complete that setup first before proceeding with this guide. Refer to the Adobe Creative Cloud SSO KB article for setup instructions.
IMPORTANT: Adobe Creative Cloud's desktop application uses an embedded browser for sign-in that does not pass device identity to Entra ID by default. If your policy also requires device compliance, you must deploy the iAcroLoginType registry fix described in the Adobe Creative Cloud SSO KB. For IP-only restrictions, this registry fix is not required.
Prerequisites
Before proceeding, confirm the following are in place:
- Microsoft Entra ID P1 or P2 license — required for Conditional Access.
- Conditional Access Administrator role or higher in Microsoft Entra ID.
- Adobe Identity Management (SAML) enterprise app registered in your Entra ID tenant with SSO configured.
- Security Defaults disabled — Security Defaults and Conditional Access cannot run simultaneously.
- Known static IP address — the public IP address or CIDR range of each approved location.
- Break-glass admin account — must be excluded from this policy to prevent administrative lockout.
IMPORTANT: If your approved IP address is dynamic, this approach will not work reliably. You must use a static IP before implementing IP-based Conditional Access.
Step 1: Create a Named Location for your rusted IP(s)
A Named Location defines the trusted IP addresses that Entra ID will use as a condition in the policy.
- Sign in to the Microsoft Entra admin center at entra.microsoft.com.
- Navigate to Protection > Conditional Access > Named locations.
- Select + IP ranges location.
- Name the location — for example: Trusted - Corporate Office
- Check the Mark as trusted location checkbox.
- Click + and enter your approved IP address or CIDR range.
- Examples:
- Single IP address: 203.0.113.10/32
- IP range (CIDR): 203.0.113.0/24
- Multiple sites: Create a separate Named Location for each site then reference all of them in the policy.
- Examples:
- Click Create.
Step 2: Create the Conditional Access policy
Create a policy that blocks Adobe Creative Cloud access from any location not on your trusted list.
- In the Entra admin center, navigate to Protection > Conditional Access > Policies.
- Select + New policy.
- Name the policy — for example: Block Adobe CC - Outside Trusted IPs
Assignments: Users
- Under Assignments > Users, select All users.
- Under Exclude, add your break-glass admin account and any service accounts that authenticate from dynamic IPs.
Assignments: Target resources
- Under Target Resources, select Cloud apps > Select apps.
- Search for and select Adobe Identity Management (SAML).
Conditions: Locations
- Under Conditions > Locations, set Configure to Yes.
- Under Include, select Any location.
- Under Exclude, select Selected locations, then choose your Named Location from Step 1.
TIP: This configuration reads: apply this policy to sign-ins from any location, except the trusted named location. Any Adobe Creative Cloud sign-in originating outside the trusted IP will be subject to the Block access grant control below.
Access controls: Grant
- Under Access Controls > Grant, select Block access.
- Click Select to confirm.
Enable policy
- Set Enable policy to Report-only.
- Click Create.
IMPORTANT: Do not set this policy to On immediately. A block policy applied to All users that is misconfigured will lock all users out of Adobe Creative Cloud instantly. Validate in Report-only mode first.
Step 3: Validate the policy
Before enabling enforcement, confirm the policy is evaluating sign-ins correctly.
- In the Entra admin center, navigate to Identity > Monitoring & health > Sign-in logs.
- Filter by the Adobe Identity Management (SAML) application.
- Open a sign-in from a user on your trusted IP and confirm the Conditional Access tab shows Would succeed.
- If available, review a sign-in from an untrusted IP and confirm it shows Would fail with the location condition as the reason.
- Investigate any unexpected Would fail entries on trusted Ips. This typically indicates the office is presenting a different egress IP than what is entered in the Named Location.
TIP: Use the What If tool under Protection > Conditional Access to simulate how a specific user signing in from a specific IP would be evaluated without waiting for a real sign-in event.
Step 4: Enable the policy
- In the Entra admin center, navigate to Protection > Conditional Access > Policies.
- Select the policy created in Step 2.
- Change Enable policy from Report-only to On.
- Click Save.
From this point forward, any Adobe Creative Cloud sign-in attempt from an IP address not included in your Named Location will be blocked.
NOTE: Users who are already signed in to Adobe Creative Cloud when the policy is enabled will not be immediately signed out. The block takes effect on the next sign-in or token refresh, typically within 1 hour.
Summary
The following summarizes the full configuration process:
Prerequisites
Confirm license, SAML SSO configured, Security Defaults disabled, static IP(s) identified.
Step 1
Create a Named Location with your trusted IP address(es).
Step 2
Create a CA policy targeting Adobe Identity Management (SAML), excluding the Named Location, with Block access.
Step 3
Validate in Report-only mode using sign-in logs and the What If tool.
Step 4
Switch Enable policy to On.
FAQs
Why is Adobe Creative Cloud a target for attackers?
Creative Cloud often contains valuable intellectual property, branding assets, and proprietary content, making it a target for data theft and unauthorized use.
Can Adobe Creative Cloud restrict access by IP address natively?
Adobe has some built-in security features, but most organizations enforce IP-based access restrictions through an identity provider like Microsoft Entra ID using Conditional Access policies.
What happens if a user logs in from an unapproved IP address?
Access will be blocked and login prevented unless the user connects from an approved network.
Is restricting access by IP enough to secure Creative Cloud?
No. While it significantly reduces risk, it should be combined with additional controls such as MFA, least privilege access, and Zero Trust enforcement. Attackers may still attempt to use compromised VPNs or proxy services, which is why additional security layers are necessary.
