Contact us
833-292-7732
BACK TO BLOGS Back to Press Releases
March 3, 2026

How to restrict Syncro access to specific IP addresses using Condition Access

Written by:

Syncro is an IT management and security platform used by many IT teams and managed service providers (MSPs). It combines Remote Monitoring and Management (RMM), Professional Service Automation (PSA), and remote support.  

This article explains how to restrict Syncro access using Microsoft Entra ID Conditional Access based on trusted IP addresses. Syncro supports OpenID Connect (OIDC) single sign-on with Entra ID as the identity provider, allowing organizations to enforce location-based access controls before authentication is completed.  

By limiting access to approved networks such as corporate offices or secure VPN connections, organizations can reduce the risk of unauthorized technician access and protect sensitive customer management workflows.

Why it’s important to restrict Syncro access by IP address

Restricting Syncro access by IP address helps secure administrative and technician access to critical MSP tools and customer management systems. 

Key benefits include: 

  • Block Syncro sign-ins originating from untrusted or unknown networks.
  • Ensure access to tickets, assets, remote management tools, and customer information is limited to approved environments.  
  • Even if credentials are exposed, attackers cannot authenticate from outside trusted IP ranges.  
  • Use Entra ID Conditional Access policies to enforce network-based restrictions consistently.  
  • Restricting administrative platform access by location helps reduce operational and client risk.

As described in the article, Syncro evaluates Entra ID Conditional Access policies during OIDC authentication, allowing access to be blocked before Entra ID issues an identity token to Syncro. 

Step-by-step: Restricting Syncro access to a specific IP address using Conditional Access

Syncro supports SSO using OpenID Connect (OIDC) with Entra ID as the identity provider. When SSO is enabled and enforced, Conditional Access policies in Entra ID are evaluated at sign-in time, blocking access from any IP not on your approved list before Entra ID issues an identity token to Syncro.

The approach uses two components working together:

  • Named Locations: A saved list of trusted IP addresses or CIDR ranges defined in Entra ID.
  • Conditional Access policy: A policy that blocks Syncro sign-ins originating from any IP not on the trusted list.

NOTE: Syncro uses OIDC for SSO rather than SAML. From a Conditional Access perspective this makes no practical difference — Entra ID evaluates CA policies for OIDC-based authentication the same way it does for SAML. The Syncro app registered in your Entra ID tenant will appear as the target resource in the CA policy.  

IMPORTANT: If your organization also uses Syncro's Microsoft CSP integration with a dedicated Syncro Service Account, that account requires its own separate Conditional Access policy with specific requirements. This is covered in Part B of this article.

Prerequisites

Before proceeding, confirm the following are in place:

  • Microsoft Entra ID P1 or P2 license — required for Conditional Access.
  • Conditional Access Administrator role or higher in Microsoft Entra ID.
  • Syncro SSO configured with Entra ID — the OIDC app registration must exist in Entra ID and SSO must be enabled in Syncro under Admin > Syncro Administration > Login Settings.
  • SSO enabled (account-wide) in Syncro — Syncro's SSO is an all-or-nothing account-wide setting. Once enabled, all active Syncro user accounts are authenticated through Entra ID. If SSO is not enabled, Entra ID is not in the authentication path and CA policies will not apply.
  • Security Defaults disabled — Security Defaults and Conditional Access cannot run simultaneously.
  • Known static IP address(es) — the public IP address or CIDR range of each approved location.
  • Break-glass admin account — must be excluded from this policy to prevent administrative lockout.

IMPORTANT: If your approved IP address is dynamic, this approach will not work reliably. You must use a static IP before implementing IP-based Conditional Access.

Part A: Restrict Syncro technician access by IP

Step 1: Create a Named Location for your trusted IP(s)

  1. Sign in to the Microsoft Entra admin center at entra.microsoft.com.
  2. Navigate to Protection > Conditional Access > Named locations.
  3. Select + IP ranges location.
  4. Name the location — for example: Trusted - MSP Office
  5. Check the Mark as trusted location checkbox.
  6. Click + and enter your approved IP address or CIDR range. Examples:
    • Single IP address: 203.0.113.10/32
    • IP range (CIDR): 203.0.113.0/24
    • Multiple sites: Create a separate Named Location for each site, then reference all of them in the policy.
  7. Click Create.

Step 2: Create the Conditional Access policy

  1. In the Entra admin center, navigate to Protection > Conditional Access > Policies and select + New policy.
  2. Name the policy — for example: Block Syncro - Outside Trusted IPs
  3. Under Assignments > Users, select All users. Under Exclude, add your break-glass admin account.
  4. Under Target Resources, select Cloud apps > Select apps, then search for and select the Syncro OIDC application registered in your tenant.
  5. Under Conditions > Locations, set Configure to Yes. Set Include to Any location and Exclude to your Named Location.
  6. Under Access Controls > Grant, select Block access.
  7. Set Enable policy to Report-only.
  8. Click Create.

TIP: If you cannot locate the Syncro app by name in the cloud apps selector, look for the name used during OIDC app registration in your Entra ID tenant. This is typically the name you entered when creating the App Registration for Syncro. You can also check Entra ID > App Registrations to confirm the app name.

Step 3: Validate and enable

  1. Navigate to Identity > Monitoring & health > Sign-in logs and filter by the Syncro application.
  2. Confirm sign-ins from trusted IPs show Would succeed and any from untrusted IPs show Would fail.
  3. Use the What If tool under Protection > Conditional Access to simulate specific user and IP combinations if needed.
  4. Once validated, return to the policy and switch Enable policy from Report-only to On.

NOTE: Syncro's SSO is account-wide — there is no per-user SSO bypass option. Once SSO is enabled, all active Syncro user accounts must authenticate through Entra ID. Users who are already signed in when the policy is enabled will be affected on their next session or token refresh. Confirm SSO is enabled in Syncro under Admin > Login Settings before enabling enforcement.

Part B: Conditional Access policy for the Syncro Service Account

If your organization uses Syncro's Microsoft CSP integration, a dedicated Syncro Service Account is required in your Entra ID tenant for Syncro to access customer Microsoft 365 tenants via GDAP. This account requires its own Conditional Access policy.

IMPORTANT: Syncro's own documentation specifies that the service account's CA policy must enforce MFA on every sign-in. The Syncro Service Account authenticates from Syncro's cloud infrastructure, not from your office IP. Do not add your Named Location as a trusted exclusion to this policy. This account must always complete MFA regardless of source IP.

  1. In the Entra admin center, navigate to Protection > Conditional Access > Policies and select + New policy.
  2. Name the policy — for example: Syncro Service Account MFA Policy
  3. Under Assignments > Users, include only the Syncro Service Account user.
  4. Under Target Resources, select All cloud apps.
  5. Under Access Controls > Grant, select Grant access and require Azure Multi-Factor Authentication.
  6. Under Access Controls > Session, check Sign-in frequency and set it to Every time.
  7. Do not add any location conditions or Named Location exclusions.
  8. Toggle Enable policy to On and click Create.

Summary

The following summarizes the full configuration:

Prerequisites

Confirm license, Syncro OIDC SSO configured, SSO enabled account-wide in Syncro, Security Defaults disabled, static IP(s) identified

Part A — Step 1

Create a Named Location with trusted IP addresses in Entra ID

Part A — Step 2

Create a CA policy targeting the Syncro OIDC app, excluding the Named Location, with Block access\

Part A — Step 3

Validate in Report-only mode, then switch to On

Part B

Create a separate CA policy for the Syncro Service Account enforcing MFA on every sign-in with no location exclusions

FAQs

Does Syncro support Conditional Access through Entra ID?
Yes. Syncro supports OpenID Connect (OIDC) SSO with Entra ID, allowing Conditional Access policies to be enforced during authentication. 

Is OIDC treated differently from SAML for Conditional Access?
No. From a Conditional Access perspective, Entra ID evaluates OIDC-based authentication the same way it evaluates SAML authentication. 

Does Syncro support partial or per-user SSO enforcement?
No. Syncro SSO is an account-wide setting. Once enabled, all active Syncro users must authenticate through Entra ID. 

What happens if SSO is not enabled in Syncro?
Entra ID will not be part of the authentication flow, meaning Conditional Access policies will not apply. 

Can this work with dynamic IP addresses?
No. This configuration requires static IP addresses. Dynamic IPs will lead to unreliable enforcement. 

What is a Named Location?
A Named Location is a list of trusted IP addresses or CIDR ranges defined in Microsoft Entra ID and used as a condition within Conditional Access policies. 

Why should I use Report-only mode first?
Report-only mode allows you to validate policy behavior safely before enforcing it, helping prevent accidental lockouts. 

Do I need to exclude any accounts?
Yes. Always exclude a break-glass (emergency) admin account to prevent administrative lockout. 

What is the Syncro Service Account mentioned in Part B?
The Syncro Service Account is used for Syncro’s Microsoft CSP integration and GDAP access to Microsoft 365 tenants. It requires a separate Conditional Access policy. 

Should the Syncro Service Account be excluded from IP restrictions?
Yes. The service account authenticates from Syncro’s cloud infrastructure rather than your office IPs. Microsoft recommends enforcing MFA for every sign-in instead of using location-based exclusions. 

Will existing Syncro sessions be terminated immediately after enabling the policy?
No. Existing sessions remain active until the next session renewal or token refresh. 

No items found.

Start your path to stronger defenses

Start your trial

Try ThreatLocker free for 30 days and experience full Zero Trust protection in your own environment.

Start free trial

Book a demo

Schedule a customized demo and explore how ThreatLocker aligns with your security goals.

Book a demo

Ask an expert

Just starting to explore our platform? Find out what ThreatLocker is, how it works, and how it’s different.

Request information