How to restrict ThreatLocker portal access to specific IP addresses

Step-by-step: How to restrict ThreatLocker portal access to specific IP addresses

Restricting ThreatLocker portal access by IP address is handled differently from every other application in this KB series. The ThreatLocker portal has native IP restriction controls built directly into its Login Settings meaning no Microsoft Entra ID Conditional Access policy is required or recommended for this purpose.  

There are two important reasons the Entra ID Conditional Access approach does not apply here:  

ThreatLocker does not recommend using O365 SSO for portal access.

ThreatLocker's own documentation explicitly advises against enabling SSO for ThreatLocker administrator accounts. Without SSO enabled, Entra ID is not in the authentication path and Conditional Access policies cannot apply.  

ThreatLocker's native Login Settings provide direct, purpose-built IP restriction.

The portal supports both individual IPv4 addresses and CIDR ranges natively, configured through the portal's own Login Settings panel — no external tooling required.  

NOTE: This article covers the native ThreatLocker portal IP restriction approach, which is the correct and recommended method. If your organization has enabled O365 SSO for ThreatLocker portal accounts against ThreatLocker's recommendation, see Part B of this article for considerations on layering Entra ID Conditional Access alongside the native controls.  

Part A: Restrict portal access using ThreatLocker login settings

ThreatLocker's Login Settings panel provides direct IP address restrictions for all administrator accounts in your organization. This is the recommended approach for restricting portal access by IP.

Step 1: Access login settings

1. Sign in to the ThreatLocker portal at portal.threatlocker.com.
2. Navigate to the Administrators page from the left sidebar.
3. Select Additional Options, then choose Login Settings. Alternatively, Login Settings can also be accessed from the Login Attempts pane within the Health Center.
4. The Login Settings panel will open, showing organization-wide controls for authentication and access.

Step 2: Configure IP address restrictions

1. In the Login Settings panel, locate the IP Address Restrictions section.
2. Select Allow Selected to create an allowlist of approved IP addresses.
3. Enter each approved IP address or CIDR range. Both individual IPv4 addresses and CIDR notation are supported.
   Examples:
   
   ‍Single IP address: 203.0.113.10
   ‍
   IP range (CIDR): 203.0.113.0/24
   ‍
   Multiple entries: Add each IP or range as a separate entry in the list.
4. Click Save to apply the restriction.
   ‍‍

‍IMPORTANT: When Allow Selected is active, any IP address not on the list will be blocked from accessing the portal. Confirm your current IP address is included before saving, or you may lock yourself out of the portal. If you need to recover access, contact ThreatLocker support.  

NOTE: IP Address Restrictions and Country Restrictions work together in the portal. If you choose Allow Selected for IP addresses within a country and also allow the entire country via Country Restrictions, the entire country will be allowed regardless of the IP allowlist. Configure both settings intentionally to avoid unintended bypass.  

Step 3: Validate the restriction

1. From a browser on an IP address included in your allowlist, confirm that portal login continues to work normally.
2. If possible, test from an IP outside the allowlist and confirm that access is denied.
3. Review the Login Attempts section of the Health Center to monitor blocked and allowed sign-in attempts.

Part B: Layering Entra ID Conditional Access (if SSO is enabled)

If your organization has enabled O365 SSO for ThreatLocker portal accounts, Entra ID is in the authentication path and Conditional Access policies can provide an additional layer of IP enforcement at the identity provider level.  

IMPORTANT: ThreatLocker does not recommend using O365 SSO for ThreatLocker administrator accounts. If SSO is enabled in your environment, ThreatLocker's native Login Settings IP restrictions should still be configured as the primary control. Entra ID Conditional Access provides a complementary layer, not a replacement.  

If SSO is enabled and you wish to add an Entra ID Conditional Access IP restriction, follow the standard Named Location and Conditional Access policy steps:  

1. In the Microsoft Entra admin center, navigate to Protection > Conditional Access > Named locations and create a Named Location with your trusted IP addresses.
2. Create a new Conditional Access policy targeting the ThreatLocker application in Entra ID.
3. Configure Conditions > Locations with Include: Any location and Exclude: your Named Location.
4. Set Access Controls > Grant to Block access.
5. Set Enable policy to Report-only, validate in sign-in logs, then switch to On.

NOTE: If ThreatLocker is not pre-registered in the Entra ID gallery, it may need to be added as a custom SAML application. Refer to ThreatLocker's SSO configuration documentation for the specific SAML values required. Verify with ThreatLocker support that SSO is configured and active for your organization before creating a Conditional Access policy targeting it.

Summary

The following summarizes the available options for restricting ThreatLocker portal access by IP:  

Native Login Settings (recommended)

Configure IP Address Restrictions directly in the ThreatLocker portal under Login Settings. Supports IPv4 and CIDR notation. No Entra ID required. This is the recommended approach for all organizations.  

Entra ID Conditional Access (supplementary)  

Only applicable if O365 SSO is enabled for ThreatLocker portal accounts. Follow the standard Named Location and CA policy steps targeting the ThreatLocker app in Entra ID. Use alongside native controls, not instead of them.