Contact us
833-292-7732
BACK TO BLOGS Back to Press Releases
March 15, 2026

How to restrict HubSpot access to specific IP addresses using Conditional Access

Written by:

Many businesses rely on HubSpot for marketing, sales, and customer relationship management (CRM). A company HubSpot account contains the personal data of customers as well as marketing workflows and sales pipelines.

All of this combined makes it an attractive target for attackers. Preventing unauthorized users from gaining access to your HubSpot account is critical in protecting your data. With credential theft becoming more rampant, restricting HubSpot access to specific IP addresses using Conditional Access policies is a secure way to ensure only trusted users can access your CRM data.  

This article walks you through using Conditional Access in Microsoft Entra ID to restrict HubSpot access to one or more approved IP addresses.

Why restrict HubSpot access by IP address?

Restricting access to HubSpot to only approved IP addresses reduces the blast radius if credentials are compromised.  

With these policies, valid credentials alone will not be enough to gain access if the log in comes from outside the approved networks.  

Doing so enhances security of your CRM data and reduces the risk of account takeover or data manipulation. This in turn supports compliance and data protection requirements and strengthens overall SaaS security posture.

Step-by-step: Restricting HubSpot access to specific IP addresses using Conditional Access

The approach uses two components working together:

  • Named Locations — a saved list of trusted IP addresses or CIDR ranges defined in Entra ID.
  • Conditional Access policy — a policy that blocks HubSpot sign-ins originating from any IP not on the trusted list.

NOTE: HubSpot SAML SSO is only available on Enterprise tier plans across Marketing Hub, Sales Hub, Service Hub, and Content Hub. If your organization is on a lower tier, SSO is not supported and Conditional Access cannot be applied. Confirm your HubSpot subscription tier before proceeding.

IMPORTANT: HubSpot has multiple login methods including email and password, Login with Google, and Login with Microsoft in addition to SSO. If the Require SSO setting is not enabled in HubSpot, users can bypass Entra ID entirely using any of these alternative login methods, making the Conditional Access policy ineffective. Require SSO must be enabled in HubSpot before this policy can be considered the sole enforcement control.

Prerequisites

Before proceeding, confirm the following are in place:

  • Microsoft Entra ID P1 or P2 license — required for Conditional Access.
  • Conditional Access Administrator role or higher in Microsoft Entra ID.
  • HubSpot Enterprise plan — SSO is only available on Enterprise tier.
  • HubSpot enterprise app (SAML SSO) registered in your Entra ID tenant with SSO configured and verified in HubSpot.
  • Require SSO enabled in HubSpot — found under Settings > Account Defaults > Single Sign-on. Must be active before this policy provides full enforcement.
  • Security Defaults disabled — Security Defaults and Conditional Access cannot run simultaneously.
  • Known static IP address — the public IP address or CIDR range of each approved location.
  • Break-glass admin account — must be excluded from this policy to prevent administrative lockout.

IMPORTANT: If your approved IP address is dynamic, this approach will not work reliably. You must use a static IP before implementing IP-based Conditional Access.

Step 1: Create a Named Location for your trusted IP(s)

A Named Location defines the trusted IP addresses that Entra ID will reference as a condition in the policy.

  1. Sign in to the Microsoft Entra admin center at entra.microsoft.com.
  2. Navigate to Protection > Conditional Access > Named locations.
  3. Select + IP ranges location.
  4. Name the location — for example: Trusted - Corporate Office
  5. Check the Mark as trusted location checkbox.
  6. Click + and enter your approved IP address or CIDR range. Examples:
    • Single IP address: 203.0.113.10/32
    • IP range (CIDR): 203.0.113.0/24
    • Multiple sites: Create a separate Named Location for each site, then reference all of them in the policy.
  7. Click Create.

Step 2: Create the Conditional Access policy

Create a policy that blocks HubSpot access from any location not on your trusted list.

  1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
  2. Select + New policy.
  3. Name the policy — for example: Block HubSpot - Outside Trusted IPs

Assignments: Users

  1. Under Assignments > Users, select All users.
  2. Under Exclude, add your break-glass admin account and any service or integration accounts that authenticate from dynamic IPs.

Assignments: Target Resources

  1. Under Target Resources, select Cloud apps > Select apps.
  2. Search for and select HubSpot.

Conditions: Locations

  1. Under Conditions > Locations, set Configure to Yes.
  2. Under Include, select Any location.
  3. Under Exclude, select Selected locations, then choose your Named Location from Step 1.

TIP: This configuration reads: apply this policy to sign-ins from any location, except the trusted named location. Any HubSpot sign-in originating outside the trusted IP will be blocked before Entra ID issues a SAML assertion to HubSpot.

Access Controls: Grant

  1. Under Access Controls > Grant, select Block access.
  2. Click Select to confirm.

Enable policy

  1. Set Enable policy to Report-only.
  2. Click Create.

IMPORTANT: Do not set this policy to On immediately. A block policy applied to All users that is misconfigured will lock all users out of HubSpot instantly. Always validate in Report-only mode first.

Step 3: Validate the policy

Before enabling enforcement, confirm the policy is evaluating sign-ins correctly.

  1. In the Entra admin center, navigate to Identity > Monitoring & health > Sign-in logs.
  2. Filter by the HubSpot application.
  3. Open a sign-in from a user on your trusted IP and confirm the Conditional Access tab shows Would succeed.
  4. If available, review a sign-in from an untrusted IP and confirm it shows Would fail with the location condition listed as the reason.
  5. Investigate any unexpected Would fail entries — this typically indicates the network is presenting a different egress IP than what is entered in the Named Location.

TIP: Use the What If tool under Protection > Conditional Access to simulate how a specific user signing in from a specific IP would be evaluated without waiting for a real sign-in event.

Step 4: Enable the policy

  1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
  2. Select the policy created in Step 2.
  3. Change Enable policy from Report-only to On.
  4. Click Save.

From this point forward, any HubSpot sign-in attempt from an IP address not included in your Named Location will be blocked. Entra ID will not issue a SAML assertion to HubSpot, and the user will be denied access at the identity provider level.

NOTE: Users who are already signed in to HubSpot when the policy is enabled will not be immediately signed out. The block takes effect on the next sign-in or token refresh, typically within one hour. Confirm that Require SSO is active in HubSpot Settings > Account Defaults to prevent users from bypassing Entra ID using alternative login methods.

Summary

The following summarizes the full configuration process:

Prerequisites

Confirm HubSpot Enterprise plan, SAML SSO configured, Require SSO enabled in HubSpot, Security Defaults disabled, static IP(s) identified

Step 1

Create a Named Location with your trusted IP address(es) in Entra ID

Step 2

Create a CA policy targeting HubSpot, excluding the Named Location, with Block access

Step 3

Validate in Report-only mode using sign-in logs and the What If tool

Step 4

Switch Enable policy to On

FAQs

Can HubSpot restrict access by IP address natively?

Yes, but only certain subscriptions and privileges can enable this feature.  

Can attackers bypass IP-based restrictions?

Yes, attackers may attempt to compromise VPNs or proxy services to bypass IP-based restrictions. This is why IP restrictions should be layered with additional controls such as MFA, least privilege access, and Zero Trust controls.

Why is HubSpot a target for attackers?

HubSpot contains valuable customer data and communication history making it a prime target for data theft, account takeover attacks, and fraud.

No items found.

Start your path to stronger defenses

Start your trial

Try ThreatLocker free for 30 days and experience full Zero Trust protection in your own environment.

Start free trial

Book a demo

Schedule a customized demo and explore how ThreatLocker aligns with your security goals.

Book a demo

Ask an expert

Just starting to explore our platform? Find out what ThreatLocker is, how it works, and how it’s different.

Request information