Contact us
833-292-7732
BACK TO BLOGS Back to Press Releases
April 29, 2026

How to restrict Salesforce access to specific IP addresses using Conditional Access

Written by:

Salesforce is a leading customer relationship management (CRM) platform used by many organizations to manage their customer and prospect data, provide customer support, generate insights, and more.  

Because of the sensitive data Salesforce holds, it’s crucial to prevent unauthorized access to your company’s account.  

This article covers how to restrict access to your organization's Salesforce account to specific IP addresses using Conditional Access in Entra ID. This is critical in reducing the risk of data exposure.  

Why it’s important to restrict Salesforce access by IP address

Salesforce often contains customer records, sales pipelines, contracts, financial details, support cases, and internal communications. If attacker credentials are compromised through phishing, password reuse, or malware, unrestricted access can allow attackers to log in from anywhere in the world.

By limiting access to approved IP addresses, organizations can reduce this risk by ensuring users can only access Salesforce from trusted environments.

Other key benefits include:

  • Limits exposure of CRM records, financial information, and proprietary business data.
  • IP restrictions add another layer of protection alongside MFA, role-based access, and Conditional Access policies.
  • Helps support compliance and regulatory requirements.
  • Limits exposure from unmanaged or insecure devices.

Step-by-step: How to restrict Salesforce access to specific IP addresses using Conditional Access

When Entra ID is configured as the identity provider for Salesforce via SAML SSO, Conditional Access policies are evaluated at sign-in time — allowing access to be blocked from any IP not on your approved list before a SAML assertion is issued to Salesforce.

The approach uses two components working together:

  • Named Locations: A saved list of trusted IP addresses or CIDR ranges defined in Entra ID.
  • Conditional Access policy: A policy that blocks Salesforce sign-ins originating from any IP not on the trusted list.

NOTE: Salesforce also has native IP restriction controls built into its platform, configurable at the org level and per user profile under Setup > Security Controls > Network Access. Entra ID Conditional Access and Salesforce native IP restrictions can be used together as complementary layers. This article covers the Entra ID approach. For full defense-in-depth, consider enabling both.

IMPORTANT: Salesforce began enforcing a device activation requirement for SSO logins in February 2026. To satisfy this requirement, the Conditional Access policy protecting Salesforce must enforce MFA, ensuring the SAML token issued by Entra ID includes the multipleauthn claim that Salesforce uses to verify device trust. An IP-only block policy without MFA enforcement may cause device activation prompts for users. It is strongly recommended to pair the IP restriction policy with a separate MFA enforcement policy for Salesforce.

Prerequisites

Before proceeding, confirm the following are in place:

  • Microsoft Entra ID P1 or P2 license — required for Conditional Access.
  • Conditional Access Administrator role or higher in Microsoft Entra ID.
  • Salesforce enterprise app (SAML SSO) registered in your Entra ID tenant with SSO configured and the AzureSSO authentication service enabled in Salesforce under My Domain settings.
  • Local Salesforce credentials disabled (recommended) — once SSO is validated, disable the option for users to log in with their Salesforce username and password. If local logins remain enabled, users can bypass Entra ID and the Conditional Access policy entirely.
  • Security Defaults disabled — Security Defaults and Conditional Access cannot run simultaneously.
  • Known static IP address — the public IP address or CIDR range of each approved location.
  • Break-glass admin account — must be excluded from this policy to prevent administrative lockout.

IMPORTANT: If your approved IP address is dynamic, this approach will not work reliably. You must use a static IP before implementing IP-based Conditional Access.

Step 1: Create a Named Location for your trusted IP(s)

A Named Location defines the trusted IP addresses that Entra ID will reference as a condition in the policy.

  1. Sign in to the Microsoft Entra admin center at entra.microsoft.com.
  2. Navigate to Protection > Conditional Access > Named locations.
  3. Select + IP ranges location.
  4. Name the location — for example: Trusted - Corporate Office
  5. Check the Mark as trusted location checkbox.
  6. Click + and enter your approved IP address or CIDR range. Examples:
    1. Single IP address: 203.0.113.10/32
    2. IP range (CIDR): 203.0.113.0/24
    3. Multiple sites: Create a separate Named Location for each site, then reference all of them in the policy.
  7. Click Create.

Step 2: Create the Conditional Access policy

Create a policy that blocks Salesforce access from any location not on your trusted list.

  1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
  2. Select + New policy.
  3. Name the policy — for example: Block Salesforce - Outside Trusted IPs

Assignments: Users

  1. Under Assignments > Users, select All users.
  2. Under Exclude, add your break-glass admin account and any integration or automation accounts that authenticate from dynamic IPs.

Assignments: Target Resources

  1. Under Target Resources, select Cloud apps > Select apps.
  2. Search for and select Salesforce.

Conditions: Locations

  1. Under Conditions > Locations, set Configure to Yes.
  2. Under Include, select Any location.
  3. Under Exclude, select Selected locations, then choose your Named Location from Step 1.

TIP: This configuration reads: apply this policy to sign-ins from any location, except the trusted named location. Any Salesforce sign-in originating outside the trusted IP will be blocked before Entra ID issues a SAML assertion to Salesforce.

Access Controls: Grant

  1. Under Access Controls > Grant, select Block access.
  2. Click Select to confirm.

Enable policy

  1. Set Enable policy to Report-only.
  2. Click Create.

IMPORTANT: Do not set this policy to On immediately. A block policy applied to All users that is misconfigured will lock all users out of Salesforce instantly. Always validate in Report-only mode first.

Step 3: Validate the policy

Before enabling enforcement, confirm the policy is evaluating sign-ins correctly.

  1. In the Entra admin center, navigate to Identity > Monitoring & health > Sign-in logs.
  2. Filter by the Salesforce application.
  3. Open a sign-in from a user on your trusted IP and confirm the Conditional Access tab shows Would succeed.
  4. If available, review a sign-in from an untrusted IP and confirm it shows Would fail with the location condition listed as the reason.
  5. Identify any Salesforce integration users, connected apps, or API access accounts that authenticate from IPs outside your Named Location. These will show as Would fail and must be reviewed before enabling enforcement.

TIP: Use the What If tool under Protection > Conditional Access to simulate how a specific user signing in from a specific IP would be evaluated without waiting for a real sign-in event.

Step 4: Enable the policy

  1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
  2. Select the policy created in Step 2.
  3. Change Enable policy from Report-only to On.
  4. Click Save.

From this point forward, any Salesforce sign-in attempt from an IP address not included in your Named Location will be blocked. Entra ID will not issue a SAML assertion to Salesforce, and the user will be denied access at the identity provider level.  

NOTE: Users who are already signed in to Salesforce when the policy is enabled will not be immediately signed out. The block takes effect on the next sign-in or token refresh. Confirm that local Salesforce logins are disabled under My Domain > Authentication Configuration to prevent users from bypassing Entra ID using their Salesforce username and password.  

Summary

The following table summarizes the full configuration process:

Step
Prerequisites
Action
Confirm license, Salesforce SAML SSO configured and AzureSSO enabled in My Domain, local logins disabled, Security Defaults disabled, static IP(s) identified
Step
Step 1
Action
Create a Named Location with your trusted IP address(es) in Entra ID
Step
Step 2
Action
Create a CA policy targeting Salesforce, excluding the Named Location, with Block access
Step
Step 3
Action
Validate in Report-only mode — pay attention to API and integration account sign-ins
Step
Step 4
Action
Switch Enable policy to On
Step Action
Prerequisites Confirm license, Salesforce SAML SSO configured and AzureSSO enabled in My Domain, local logins disabled, Security Defaults disabled, static IP(s) identified
Step 1 Create a Named Location with your trusted IP address(es) in Entra ID
Step 2 Create a CA policy targeting Salesforce, excluding the Named Location, with Block access
Step 3 Validate in Report-only mode — pay attention to API and integration account sign-ins
Step 4 Switch Enable policy to On

FAQs

What do I need before configuring IP restrictions for Salesforce?

Before setting up IP-based access restrictions, you need:

  • Administrative access to your identity provider or Salesforce environment
  • A list of approved public IP addresses or VPN ranges
  • Salesforce integrated with your identity provider (if using Conditional Access)
  • A test account to validate policies before deployment

Why should I test in report-only mode first?
It is strongly recommended to deploy policies in a report-only or test mode first to ensure legitimate users are not unintentionally blocked.

How can remote employees still access Salesforce with IP restrictions enabled?
Organizations commonly allow remote users to connect through a VPN or secure access solution that routes traffic through approved IP addresses.

Do IP restrictions replace multi-factor authentication (MFA)?
No. IP restrictions should complement MFA and other security controls. MFA verifies identity, while IP restrictions control where access is allowed from.

No items found.

Start your path to stronger defenses

Start your trial

Try ThreatLocker free for 30 days and experience full Zero Trust protection in your own environment.

Start free trial

Book a demo

Schedule a customized demo and explore how ThreatLocker aligns with your security goals.

Book a demo

Ask an expert

Just starting to explore our platform? Find out what ThreatLocker is, how it works, and how it’s different.

Request information