How to restrict Hudu access to specific IP addresses using Conditional Access

Hudu is a documentation platform used by many MSPs and IT teams as a centralized knowledge base. It stores highly sensitive information such as passwords, internal processes, network diagrams, and configurations.  

Unauthorized access to Hudu can quickly escalate into a full environment compromise.  

Role-based privilege controls and multi-factor authentication (MFA) help secure Hudu accounts, but they do not control where access originates from.  

Restricting access to Hudu to only specific IP addresses adds a crucial layer of environmental control and limits exposure in the event of a compromise.

Why you should restrict Hudu access by IP address

MFA and least privilege are vital controls that focus on who is accessing a system and what they can do. IP-based restrictions add a layer of where the access is coming from.  

This helps reduce the impact of stolen credentials or session tokens because it can prevent access even after successful authentication.  

For platforms like Hudu, which store high-value administrative and operational data, controlling where access can occur is just as important as controlling who can log in.

Step-by-step: How to restrict Hudu access to specific IP addresses using Conditional Access

Hudu supports two complementary layers of IP-based access control, and for complete coverage, both should be configured.

Entra ID Conditional Access

• Blocks sign-in at the identity provider before a SAML token is issued. Covers all users authenticated via SSO. Does not cover admin accounts signing in via the Hudu admin login page.
• Where to configure: Create Named Location and CA policy in Entra ID.

Hudu Native IP Access Control

• Blocks access to the entire Hudu instance by IP, independent of SSO. Covers all users including those using password login and admins using the admin login page.
• Where to configure: Configure under Hudu Admin > Security > IP Access Control.

NOTE: Hudu's SSO has an important admin exception: super-admin and admin users are always exempt from SSO enforcement by design. They can continue to sign in via the Hudu admin login page using a password. This means Entra ID Conditional Access alone does not fully cover admin accounts. Hudu's native IP Access Control is needed to restrict admin access by IP as well. For comprehensive IP restriction, configure both layers.

Prerequisites

• Microsoft Entra ID P1 or P2 license — required for Conditional Access.
• Conditional Access Administrator role or higher in Microsoft Entra ID.
• Hudu SAML/SSO configured with Entra ID — the non-gallery SAML enterprise app must exist in Entra ID and SAML/SSO must be enabled in Hudu under Admin > Security > SAML/SSO Configure.
• Password access disabled for non-admins (recommended) — in Hudu under Admin > Security > SAML/SSO, enable Disable Password Access for non-admins. This forces all non-admin users through SSO, ensuring CA policies apply. Without this, non-admin users can still use password login and bypass Entra ID.
• Security Defaults disabled — Security Defaults and Conditional Access cannot run simultaneously.
• Known static IP address(es) — the public IP address or CIDR range of each approved location.
• Break-glass admin account — must be excluded from the CA policy in Entra ID.

IMPORTANT: If your approved IP address is dynamic, this approach will not work reliably. You must use a static IP before implementing IP-based access controls.

Part A: Restrict Hudu SSO access by IP using Entra ID Conditional Access

This approach restricts sign-ins for users who authenticate through Entra ID SSO. It does not cover admin accounts, which bypass SSO by design.

Step 1: Create a Named Location

1. Sign in to the Microsoft Entra admin center at entra.microsoft.com.
2. Navigate to Protection > Conditional Access > Named locations.
3. Select + IP ranges location.
4. Name the location — for example: Trusted - MSP Office
5. Check the Mark as trusted location checkbox.
6. Enter your approved IP address or CIDR range. Examples:
   
   • Single IP address: 203.0.113.10/32
   • IP range (CIDR): 203.0.113.0/24
   • Multiple sites: Create a separate Named Location for each site, then reference all in the policy.
7. Click Create.

Step 2: Create the Conditional Access policy

1. Navigate to Protection > Conditional Access > Policies and select + New policy.
2. Name the policy — for example: Block Hudu - Outside Trusted IPs
3. Under Assignments > Users, select All users. Under Exclude, add your break-glass admin account.
4. Under Target Resources, select Cloud apps > Select apps, then search for and select your Hudu SAML enterprise application.

NOTE: Hudu is not in the Microsoft Entra gallery and is configured as a non-gallery SAML application. Look for the app name you used when creating the enterprise application in Entra ID during SSO setup—typically named after your Hudu instance URL or a custom name you chose.

1. Under Conditions > Locations, set Configure to Yes. Set Include to Any location and Exclude to your Named Location.
2. Under Access Controls > Grant, select Block access.
3. Set Enable policy to Report-only.
4. Click Create.

Step 3: Validate and enable

1. Navigate to Identity > Monitoring & health > Sign-in logs and filter by the Hudu application.
2. Confirm sign-ins from trusted IPs show Would succeed and sign-ins from untrusted IPs show Would fail.
3. Once validated, return to the policy and switch Enable policy from Report-only to On.

Part B: Restrict Hudu access by IP using Hudu native IP Access Control

Hudu's built-in IP Access Control applies to the entire Hudu instance — all users including admins, API access, and any users not going through SSO. This is the recommended companion to Part A and the only way to enforce IP restrictions on admin accounts.

1. Sign in to your Hudu instance as a super-admin.
2. Navigate to Admin > Security > IP Access Control.
3. Add each approved IP address or CIDR range to the allowlist.
4. Save the configuration.

IMPORTANT: Once IP Access Control is enabled in Hudu, any IP address not on the allowlist will be blocked from accessing the instance entirely including admin accounts, API scripts, and integrations. Confirm all required IPs are added before saving, including any addresses used by automation, the Hudu API, or external integrations. Adding an IP allowlist that omits your current IP will lock you out immediately.

NOTE: Hudu's IP Access Control applies to the entire instance. There is no per-user or per-group granularity for this feature. If some users need access from IPs outside your corporate range (such as remote workers or clients accessing the portal), plan accordingly before enabling this control.

Summary

The following summarizes the available options for restricting Hudu access by IP:

Entra ID CA policy (Part A)

Restricts SSO sign-ins by IP for non-admin users. Configure a Named Location and CA policy targeting the Hudu non-gallery SAML app. Does not cover admin accounts.

Hudu Native IP Access Control (Part B)

Restricts all access to the Hudu instance by IP, including admins and API access. Configure under Admin > Security > IP Access Control. Recommended for complete coverage.  

Disable Password Access for non-admins

Optionally enforce SSO-only login for non-admin users in Hudu under Admin > Security > SAML/SSO. Ensures non-admins cannot bypass Entra ID CA policies using password login.

FAQs

Why is Hudu a high-value target for attackers?

Hudu often contains proprietary documentation, credentials, and infrastructure details. If accessed by an attacker, it can provide a roadmap to compromise an entire environment.

How is IP-based restriction different from MFA?

MFA verifies a user’s identity but not the user’s location. IP restrictions ensure that only authenticated users on approved networks are allowed access.

Can attackers bypass IP-based restrictions?

Attackers may attempt to use compromised VPNs or proxy services to bypass IP restrictions. This is why IP restrictions should be combined with MFA, least privilege access, and Zero Trust controls.