Contact us
833-292-7732
BACK TO BLOGS Back to Press Releases
March 2, 2026

How to restrict Workday access to a specific IP address using Conditional Access

Written by:

Workday is used by many organizations as unified systems for HR, accounting, and talent management. It allows organizations to manage employee information, benefits, and payroll on a single platform, and as such, holds valuable information.  

This article provides guidance on restricting Workday access using Microsoft Entra ID Conditional Access based on trusted IP addresses.  

When Workday is configured to use Entra ID as its identity provider through SAML SSO, Conditional Access policies can enforce location-based restrictions before authentication is completed.  

By limiting access to approved networks such as corporate offices or secure VPN connections, organizations can reduce the risk of unauthorized access to HR, payroll, and employee data from untrusted environments. 

Why restrict Workday access to specific IP addresses

Restricting Workday access by IP address is an important security control for protecting sensitive employee and organizational information. 

Key benefits include: 

  • Prevent unauthorized access to HR and payroll systems 
  • Protect sensitive employee and organizational data 
  • Reduce risk from compromised credentials 
  • Strengthen identity security with centralized enforcement 
  • Support compliance and privacy requirements 

As described in the article, Conditional Access policies are evaluated before Entra ID issues a SAML assertion to Workday, allowing untrusted sign-ins to be blocked before authentication is completed. 

Step-by-step: Restricting Workday access to specific IP addresses using Conditional Access

When Entra ID is configured as the identity provider for Workday via SAML SSO, Conditional Access policies are evaluated at sign-in time, blocking access from any IP not on your approved list before a SAML assertion is issued to Workday.

The approach uses two components working together:  

  • Named Locations: A saved list of trusted IP addresses or CIDR ranges defined in Entra ID.
  • Conditional Access policy: A policy that blocks Workday sign-ins originating from any IP not on the trusted list.

NOTE: Workday also includes its own native Authentication Policy and IP range controls, configurable through the Maintain IP Ranges and Manage Authentication Policies tasks in Workday. These can be used alongside Entra ID Conditional Access as complementary layers. This article covers the Entra ID approach, which enforces restrictions at the identity provider level before authentication reaches Workday.  

IMPORTANT: Workday SSO is configured inside Workday through Edit Tenant Setup –Security, not through an automated exchange. This requires a Workday administrator with the appropriate security role to import the Federation Metadata XML from Entra ID and activate the identity provider. Confirm SSO is correctly configured and tested before implementing access restrictions. An incorrect SSO configuration can lock all users out of Workday.  

Prerequisites

Before proceeding, confirm the following are in place:

  • Microsoft Entra ID P1 or P2 license — required for Conditional Access.
  • Conditional Access Administrator role or higher in Microsoft Entra ID.
  • Workday enterprise app (SAML SSO) registered in your Entra ID tenant with the identity provider imported in Workday under Edit Tenant Setup – Security and set to Active.
  • Local Workday credentials disabled (recommended) — once SSO is validated, disable username/password login for users in Workday's authentication policy. If local logins remain enabled, users can bypass Entra D and the Conditional Access policy.
  • Security Defaults disabled — Security Defaults and Conditional Access cannot run simultaneously.
  • Known static IP address — the public IP address or CIDR range of each approved location.
  • Break-glass admin account — must be excluded from this policy to prevent administrative lockout.

IMPORTANT: If your approved IP address is dynamic, this approach will not work reliably. You must use a static IP before implementing IP-based Conditional Access.

Step 1: Create a Named Location for your trusted IP(s)

A Named Location defines the trusted IP addresses that Entra ID will reference as a condition in the policy.

  1. Sign in to the Microsoft Entra admin center at entra.microsoft.com.
  2. Navigate to Protection > Conditional Access > Named locations.
  3. Select + IP ranges location.
  4. Name the location — for example: Trusted - Corporate Office
  5. Check the Mark as trusted location checkbox.
  6. Click + and enter your approved IP address or CIDR range. Examples:
    1. Single IP address: 203.0.113.10/32
    2. IP range (CIDR): 203.0.113.0/24
    3. Multiple sites: Create a separate Named Location for each site, then reference all of them in the policy.
  7. Click Create.

Step 2: Create the Conditional Access policy

Create a policy that blocks Workday access from any location not on your trusted list.

  1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
  2. Select + New policy.
  3. Name the policy — for example: Block Workday - Outside Trusted IPs

Assignments: Users

  1. Under Assignments > Users, select All users.
  2. Under Exclude, add your break-glass admin account and any integration system accounts that authenticate from dynamic IPs.

NOTE: Workday integration system users used for HCM data provisioning, API access, or third-party integrations may authenticate through Entra ID if they are mapped to Entra ID accounts. Review your integration accounts before enabling this policy to confirm they will not be blocked. Integrations that use Workday-native credentials rather than SSO are not affected.

Assignments: Target Resources

  1. Under Target Resources, select Cloud apps > Select apps.
  2. Search for and select Workday.

Conditions: Locations

  1. Under Conditions > Locations, set Configure to Yes.
  2. Under Include, select Any location.
  3. Under Exclude, select Selected locations, then choose your Named Location from Step 1.

TIP: This configuration reads: apply this policy to sign-ins from any location, except the trusted named location. Any Workday sign-in originating outside the trusted IP will be blocked before Entra ID issues a SAML assertion to Workday.

Access Controls: Grant

  1. Under Access Controls > Grant, select Block access.
  2. Click Select to confirm.

Enable policy

  1. Set Enable policy to Report-only.
  2. Click Create.

IMPORTANT: Do not set this policy to On immediately. A block policy applied to All users that is misconfigured will lock all users out of Workday instantly. Always validate in Report-only mode first.

Step 3: Validate the policy

Before enabling enforcement, confirm the policy is evaluating sign-ins correctly.

  1. In the Entra admin center, navigate to Identity > Monitoring & health > Sign-in logs.
  2. Filter by the Workday application.
  3. Open a sign-in from a user on your trusted IP and confirm the Conditional Access tab shows Would succeed.
  4. If available, review a sign-in from an untrusted IP and confirm it shows Would fail with the location condition listed as the reason.
  5. Review any integration system account sign-ins showing Would fail and determine whether they need to be excluded or whether their source IPs should be added to the Named Location.

TIP: Use the What If tool under Protection > Conditional Access to simulate how a specific user signing in from a specific IP would be evaluated without waiting for a real sign-in event.

Step 4: Enable the policy

  1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
  2. Select the policy created in Step 2.
  3. Change Enable policy from Report-only to On.
  4. Click Save.

From this point forward, any Workday sign-in attempt from an IP address not included in your Named Location will be blocked. Entra ID will not issue a SAML assertion to Workday, and the user will be denied access at the identity provider level.  

NOTE: Users who are already signed in to Workday when the policy is enabled will not be immediately signed out. The block takes effect on the next sign-in or token refresh, typically within one hour. Confirm that local Workday username and password login is disabled in your Workday authentication policy to prevent users from bypassing Entra ID using Workday credentials directly.  

Summary

The following summarizes the full configuration process:

Prerequisites

Confirm license, Workday SAML SSO configured via Edit Tenant Setup – Security, local logins disabled in Workday authentication policy, Security Defaults disabled, static IP(s) identified

Step 1

Create a Named Location with your trusted IP address(es) in Entra ID

Step 2

Create a CA policy targeting Workday, excluding the Named Location, with Block access

Step 3

Validate in Report-only mode — review integration system account sign-ins

Step 4

Switch Enable policy to On

FAQs

Does Workday support Conditional Access through Entra ID?
Yes. Workday supports SAML SSO with Entra ID, allowing Conditional Access policies to be enforced during authentication. 

Can users bypass Conditional Access using local Workday credentials?
Yes, if local username/password authentication remains enabled in Workday. To ensure full enforcement, local Workday logins should be disabled after SSO validation. 

Does Workday have its own IP restriction controls?
Yes. Workday includes native IP range and authentication policy controls through the Maintain IP Ranges and Manage Authentication Policies tasks. These can be used alongside Entra ID Conditional Access for additional security. 

Can this work with dynamic IP addresses?
No. This configuration requires static IP addresses. Dynamic IPs will result in unreliable enforcement. 

What is a Named Location?
A Named Location is a list of trusted IP addresses or CIDR ranges defined in Microsoft Entra ID and used as a condition within Conditional Access policies. 

Why should I use Report-only mode first?
Report-only mode allows you to validate policy behavior before enforcement, helping prevent accidental lockouts. 

Do I need to exclude any accounts?
Yes. Always exclude a break-glass (emergency) admin account and review any integration system accounts that authenticate from dynamic IPs. 

What are Workday integration system accounts?
These are accounts used for HCM integrations, API access, and third-party data provisioning. If they authenticate through Entra ID, they may be affected by Conditional Access policies and should be reviewed carefully before enforcement. 

Will existing Workday sessions be terminated immediately after enabling the policy?
No. Existing sessions remain active until the next sign-in or token refresh, typically within about one hour. 

What happens if the policy is misconfigured and enabled?
Because the policy can apply to all Workday users, a misconfiguration can lock users and administrators out of Workday. Always validate thoroughly in Report-only mode before enabling enforcement. 

Where is Workday SSO configured?
Workday SSO is configured inside Workday through the Edit Tenant Setup – Security task, where the Entra ID Federation Metadata XML is imported and activated. 

No items found.

Start your path to stronger defenses

Start your trial

Try ThreatLocker free for 30 days and experience full Zero Trust protection in your own environment.

Start free trial

Book a demo

Schedule a customized demo and explore how ThreatLocker aligns with your security goals.

Book a demo

Ask an expert

Just starting to explore our platform? Find out what ThreatLocker is, how it works, and how it’s different.

Request information