How to restrict ServiceNow to a specific IP address using Conditional Access

ServiceNow is a widely used cloud-based platform that helps organizations manage their IT services, operations, customer support, and internal processes. It often contains privileged information and therefore access must be secured.

This article walks through restricting ServiceNow access to one or more approved IP addresses using Conditional Access in Microsoft Entra ID. Restricting ServiceNow access to specific IP addresses helps ensure that only users connecting from approved networks can access the platform and its sensitive data.

This adds an additional layer of security by controlling where access can originate, helping reduce the risk of unauthorized access even if credentials are compromised.

Why it’s important to restrict access to ServiceNow by IP address

Restricting access to ServiceNow based on IP address helps organizations strengthen control over critical operational systems and reduce exposure to unauthorized access attempts.

Key benefits:

• Even if credentials are compromised, attackers cannot access ServiceNow from outside approved networks.
• Limits access to incident records, workflows, configurations, and internal business information to trusted environments only.
• IP restrictions help enforce where access is allowed from, strengthening identity-based security controls.
• Organization scan require users to connect through approved corporate networks or VPNs before accessing ServiceNow.
• Enforces stronger access controls for platforms that manage critical business operations and sensitive data.

For organizations using ServiceNow as a central operational platform, controlling where users can access the environment from is an important part of reducing risk.

Step-by-step: How to restrict ServiceNow access to specific IP addresses using Conditional Access

When Entra ID is configured as the identity provider for ServiceNow via SAML SSO, Conditional Access policies are evaluated at sign-intime blocking access from any IP not on your approved list before a SAML assertion is issued to ServiceNow.

The approach uses two components working together:

• Named Locations — a saved list of trusted IP addresses or CIDR ranges defined in Entra ID.
• Conditional Access policy —a policy that blocks ServiceNow sign-ins originating from any IP not on the trusted list.

NOTE: ServiceNow also includes native IP access restriction controls at the instance and user record level, configurable under System Security > IP Address Access Control. These can be used alongside Entra ID Conditional Access as complementary layers. This article covers the Entra ID approach, which enforces restrictions at the identity provider level before authentication reaches ServiceNow.

IMPORTANT: ServiceNow requires the Integration -Multiple Provider SSO Installer plugin to be activated before SAML SSO can be configured. If this plugin has not been activated in your ServiceNow instance, SSO configuration will not be available. Confirm the plugin is active before proceeding.

Prerequisites

Before proceeding, confirm the following are in place:

• Microsoft Entra ID P1 or P2 license —required for Conditional Access.
• Conditional Access Administrator role or higher in Microsoft Entra ID.
• ServiceNow enterprise app (SAML SSO) registered in your Entra ID tenant with SSO configured, the Multi-Provider SSO plugin activated in ServiceNow, and the identity provider set to Active.
• Local ServiceNow logins disabled(recommended) — if users can still log in with their ServiceNow username and password, they can bypass Entra ID and the Conditional Access policy. Disable local logins in ServiceNow under Multi-Provider SSO > Properties by enabling the option to redirect all users through the external identity provider.
• Security Defaults disabled — Security Defaults and Conditional Access cannot run simultaneously.
• Known static IP address — the public IP address or CIDR range of each approved location.
• Break-glass admin account — must be excluded from this policy to prevent administrative lockout.

IMPORTANT: If your approved IP address is dynamic, this approach will not work reliably. You must use a static IP before implementing IP-based Conditional Access.

Step 1: Create a Named Location for your trusted IP(s)

A Named Location defines the trusted IP addresses that Entra ID will reference as a condition in the policy.

1. Sign in to the Microsoft Entra admin center atentra.microsoft.com.
2. Navigate to Protection > Conditional Access> Named locations.
3. Select + IP ranges location.
4. Name the location — for example: Trusted - Corporate Office
5. Check the Mark as trusted location checkbox.
6. Click + and enter your approved IP address or CIDR range. Examples:
   
   • Single IP address: 203.0.113.10/32
   • IP range (CIDR): 203.0.113.0/24
   • Multiple sites: Create a separate Named Location for each site, then reference all of them in the policy
7. Click Create.

Step 2: Create the Conditional Access policy

Create a policy that blocks ServiceNow access from any location not on your trusted list.

1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
2. Select + New policy.
3. Name the policy — for example: Block ServiceNow - Outside Trusted IPs

Assignments: Users

1. Under Assignments > Users, select All users.
2. Under Exclude, add your break-glass admin account and any integration or MID Server accounts that authenticate from dynamic IPs.

NOTE: ServiceNow integrations and MID Servers may authenticate to the ServiceNow instance through Entra ID in some configurations. Review your integration accounts before enabling this policy to confirm they will not be blocked.

Assignments: Target Resources

1. Under Target Resources, select Cloud apps >Select apps.
2. Search for and select ServiceNow.

Conditions: Locations

1. Under Conditions > Locations, set Configure to Yes.
2. Under Include, select Any location.
3. Under Exclude, select Selected locations, then choose your Named Location from Step 1.

TIP: This configuration reads: apply this policy to sign-ins from any location, except the trusted named location. Any ServiceNow sign-in originating outside the trusted IP will be blocked before Entra ID issues a SAML assertion to ServiceNow.

Access Controls: Grant

1. Under Access Controls > Grant, select Block access.
2. Click Select to confirm.

Enable policy

1. Set Enable policy to Report-only.
2. Click Create.

IMPORTANT: Do not set this policy to On immediately. A block policy applied to All users that is misconfigured will lock all users out of ServiceNow instantly. Always validate in Report-only mode first.

Step 3: Validate the policy

Before enabling enforcement, confirm the policy is evaluating sign-ins correctly.

1. In the Entra admin center, navigate to Identity> Monitoring & health > Sign-in logs.
2. Filter by the ServiceNow application.
3. Open a sign-in from a user on your trusted IP and confirm the Conditional Access tab shows Would succeed.
4. If available, review a sign-in from an untrusted IP and confirm it shows Would fail with the location condition listed as the reason.
5. Review any integration or service account sign-ins that show Would fail. Confirm whether they need to be excluded or whether their source IPs can be added to the whether they need to be excluded or whether their source IPs can be added to the Named Location.

TIP: Use the What If tool under Protection >Conditional Access to simulate how a specific user signing in from a specific IP would be evaluated without waiting for a real sign-in event.

Step 4: Enable the policy

1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
2. Select the policy created in Step 2.
3. Change Enable policy from Report-only to On.
4. Click Save.

From this point forward, any ServiceNow sign-in attempt from an IP address not included in your Named Location will be blocked. Entra ID will not issue a SAML assertion to ServiceNow, and the user will be denied access at the identity provider level.

NOTE: Users who are already signed in to ServiceNow when the policy is enabled will not be immediately signed out. The block takes effect on the next sign-in or token refresh, typically within one hour. Confirm that local ServiceNow logins are disabled in Multi-Provider SSO settings to prevent users from bypassing Entra ID using ServiceNow credentials.

Summary

The following table summarizes the full configuration process:

FAQs

What do I need before configuring ServiceNow IP restrictions?

Before setting up IP-based access restrictions, you should have:

• Administrative access to their identity provider or ServiceNow environment
• A list of approved IP addresses or VPN ranges
• ServiceNow integrated with their identity provider (if using Conditional Access)
• A test account for policy validation

What happens if a user attempts to access ServiceNow from an unapproved IP address?‍

The login attempt will be blocked based on the configured policy, preventing access unless the user connects from an approved network or VPN.

Can remote employees still access ServiceNow with IPrestrictions enabled?

Yes. Organizations commonly require remote users to connectthrough a VPN or secure remote access solution that routes traffic throughapproved IP addresses before accessing ServiceNow.

Should IP restrictions replace multi-factorauthentication (MFA)?

No. IP restrictions should be layered with MFA and other security controls. MFA verifies identity, while IP restrictions help control where access is permitted from.

‍