Contact us
833-292-7732
BACK TO BLOGS Back to Press Releases
April 26, 2026

How to restrict Slack access to a specific IP address using Conditional Access

Written by:

Slack is a key internal communication tool for many organizations. It is often used to share sensitive files, integrate business applications, and centralize conversations.  

Because of the sensitive data Slack holds, securing access is crucial. By restricting Slack access to specific IP addresses, organizations can ensure that only users connecting from approved networks are able to access company workspaces and communications.

This adds an additional layer of security by controlling where access can originate, helping reduce the risk of unauthorized access even if credentials are compromised.

Why you should restrict Slack access by IP address

Restricting access to Slack based on IP address helps organizations reduce exposure to unauthorized access and protect sensitive business communications.

Key benefits:

  • Even if credentials are compromised, attackers cannot access Slack from outside approved networks.
  • Limits access to internal conversations, project discussions, and documents to trusted environments only.
  • IP restrictions help enforce where access is allowed from, strengthening existing MFA and password controls.
  • Organizations can require users to connect through approved corporate networks or VPNs before accessing Slack.
  • Helps organizations enforce stronger access controls that are required for various compliance and regulatory standards.

For organizations using Slack as a central collaboration hub, controlling where users can access the platform from is an important part of reducing risk.

Step-by-step: How to restrict Slack access to specific IP addresses using Conditional Access policies

This article walks through restricting Slack access to one or more approved IP addresses using Conditional Access in Microsoft Entra ID. When Entra ID is configured as the identity provider for Slack via SAML SSO, Conditional Access policies are evaluated at sign-in time, blocking access from any IP not on your approved list before a SAML assertion is issued to Slack.

The approach uses two components working together:

  • Named Locations: A saved list of trusted IP addresses or CIDR ranges defined in Entra ID.
  • Conditional Access policy: A policy that blocks Slack sign-ins originating from any IP not on the trusted list.\

NOTE: SAML SSO for Slack is only available on Business+ and Enterprise Grid plans. It is not available on the Free or Pro plans. Confirm your Slack subscription tier before proceeding.

SSO enforcement modes

SSO Mode
Required
Behavior
All members must sign in via SSO. Email/password login is disabled for members.
Suitability for IP restriction
Recommended for full IP enforcement. Guests are excluded by default and can still use email/password.
SSO Mode
Partially required
Behavior
SSO is required for some members. Others can still use email/password.
Suitability for IP restriction
Useful during rollout. Does not provide full IP enforcement.
SSO Mode
Optional
Behavior
SSO is available but not enforced. Members can use either SSO or email/password.
Suitability for IP restriction
Not suitable for IP enforcement. Users can bypass Entra ID entirely.
SSO Mode Behavior Suitability for IP restriction
Required All members must sign in via SSO. Email/password login is disabled for members. Recommended for full IP enforcement. Guests are excluded by default and can still use email/password.
Partially required SSO is required for some members. Others can still use email/password. Useful during rollout. Does not provide full IP enforcement.
Optional SSO is available but not enforced. Members can use either SSO or email/password. Not suitable for IP enforcement. Users can bypass Entra ID entirely.

Slack offers three SSO enforcement modes, each with different implications for IP-based access control. The mode must be set to Required for this Conditional Access policy to provide full enforcement.

IMPORTANT: Even with SSO set to Required, guests are excluded from SSO enforcement by default in Slack and can still sign in with email and password. If your organization has external guests in Slack, they will not be subject to the Conditional Access policy. Manage guest access separately through Slack's guest exclusion settings and consider whether additional controls are needed for guest accounts.

Prerequisites

Before proceeding, confirm the following are in place:

  • Microsoft Entra ID P1 or P2 license — required for Conditional Access.
  • Conditional Access Administrator role or higher in Microsoft Entra ID.
  • Slack Business+ or Enterprise Grid plan — required for SAML SSO.
  • Slack enterprise app (SAML SSO) registered in your Entra ID tenant with SSO configured and verified in Slack.
  • SSO set to Required in Slack — configured under Security > SSO & Authentication in Slack settings. If set to Optional, users can bypass Entra ID.
  • Security Defaults disabled — Security Defaults and Conditional Access cannot run simultaneously.
  • Known static IP address — the public IP address or CIDR range of each approved location.
  • Break-glass admin account — must be excluded from this policy to prevent administrative lockout.

IMPORTANT: If your approved IP address is dynamic, this approach will not work reliably. You must use a static IP before implementing IP-based Conditional Access.

Step 1: Create a Named Location for your trusted IP(s)

A Named Location defines the trusted IP addresses that Entra ID will reference as a condition in the policy.

  1. Sign in to the Microsoft Entra admin center at entra.microsoft.com.
  2. Navigate to Protection > Conditional Access > Named locations.
  3. Select + IP ranges location.
  4. Name the location — for example: Trusted - Corporate Office
  5. Check the Mark as trusted location checkbox.
  6. Click + and enter your approved IP address or CIDR range. Examples:
    1. Single IP address: 203.0.113.10/32
    2. IP range (CIDR): 203.0.113.0/24
    3. Multiple sites: Create a separate Named Location for each site, then reference all of them in the policy.
  7. Click Create.

Step 2: Create the Conditional Access policy

Create a policy that blocks Slack access from any location not on your trusted list.

  1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
  2. Select + New policy.
  3. Name the policy — for example: Block Slack - Outside Trusted IPs

Assignments: Users

  1. Under Assignments > Users, select All users.
  2. Under Exclude, add your break-glass admin account.

Assignments: Target Resources

  1. Under Target Resources, select Cloud apps > Select apps.
  2. Search for and select Slack.

Conditions: Locations

  1. Under Conditions > Locations, set Configure to Yes.
  2. Under Include, select Any location.
  3. Under Exclude, select Selected locations, then choose your Named Location from Step 1.\

TIP: This configuration reads: Apply this policy to sign-ins from any location, except the trusted named location. Any Slack sign-in originating outside the trusted IP will be blocked before Entra ID issues a SAML assertion to Slack.

Access Controls: Grant

  1. Under Access Controls > Grant, select Block access.
  2. Click Select to confirm.

Enable Policy

  1. Set Enable policy to Report-only.
  2. Click Create.

IMPORTANT: Do not set this policy to On immediately. A block policy applied to All users that is misconfigured will lock all users out of Slack instantly. Always validate in Report-only mode first.

Step 3: Validate the policy

Before enabling enforcement, confirm the policy is evaluating sign-ins correctly.

  1. In the Entra admin center, navigate to Identity > Monitoring & health > Sign-in logs.
  2. Filter by the Slack application.
  3. Open a sign-in from a user on your trusted IP and confirm the Conditional Access tab shows Would succeed.
  4. If available, review a sign-in from an untrusted IP and confirm it shows Would fail with the location condition listed as the reason.
  5. Investigate any unexpected Would fail entries for users on trusted IPs. This typically indicates the network is presenting a different egress IP than what is entered in the Named Location.

TIP: Use the What If tool under Protection > Conditional Access to simulate how a specific user signing in from a specific IP would be evaluated without waiting for a real sign-in event.

Step 4: Enable the policy

  1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
  2. Select the policy created in Step 2.
  3. Change Enable policy from Report-only to On.
  4. Click Save.

From this point forward, any Slack sign-in attempt from an IP address not included in your Named Location will be blocked. Entra ID will not issue a SAML assertion to Slack, and the user will be denied access at the identity provider level.  

NOTE: Users who are already signed in to Slack when the policy is enabled will not be immediately signed out. The block takes effect on the next sign-in or token refresh. Confirm that SSO is set to Required in Slack under Security > SSO & Authentication. Guests are excluded from SSO enforcement by default in Slack and will not be affected by this policy regardless of their IP address.

Summary

The following table summarizes the full configuration process:

Step
Prerequisites
Action
Confirm license, Salesforce SAML SSO configured and AzureSSO enabled in My Domain, local logins disabled, Security Defaults disabled, static IP(s) identified
Step
Step 1
Action
Create a Named Location with your trusted IP address(es) in Entra ID
Step
Step 2
Action
Create a CA policy targeting Salesforce, excluding the Named Location, with Block access
Step
Step 3
Action
Validate in Report-only mode — pay attention to API and integration account sign-ins
Step
Step 4
Action
Switch Enable policy to On
Step Action
Prerequisites Confirm Business+ or Enterprise Grid plan, SAML SSO configured, SSO set to Required in Slack, Security Defaults disabled, static IP(s) identified
Step 1 Create a Named Location with your trusted IP address(es) in Entra ID
Step 2 Create a CA policy targeting Slack, excluding the Named Location, with Block access
Step 3 Validate in Report-only mode using sign-in logs and the What If tool
Step 4 Switch Enable policy to On

FAQs

What happens if a user attempts to access Slack from an unapproved IP address?
The login attempt will be blocked based on the configured policy, preventing access unless the user connects from an approved network or VPN.

Can remote employees still use Slack with IP restrictions enabled?
Yes. Organizations commonly require remote users to connect through a VPN or secure network that routes traffic through approved IP addresses before accessing Slack.

Should IP restrictions replace multi-factor authentication (MFA)?
No. IP restrictions should complement MFA and other security controls. MFA verifies identity, while IP restrictions help control where access is permitted from.

Can different Slack users or teams have different access policies?
Yes. Organizations can apply separate policies for administrators, contractors, departments, or third-party users based on risk level and business requirements.

No items found.

Start your path to stronger defenses

Start your trial

Try ThreatLocker free for 30 days and experience full Zero Trust protection in your own environment.

Start free trial

Book a demo

Schedule a customized demo and explore how ThreatLocker aligns with your security goals.

Book a demo

Ask an expert

Just starting to explore our platform? Find out what ThreatLocker is, how it works, and how it’s different.

Request information