How to restrict Zendesk access to a specific IP address using Conditional Access

Zendesk is an integral platform for many customer support teams, and it often contains sensitive customer data, internal communications, and account credentials. Because of this high-value data, it can also become a target for cybercriminals if not properly secured.

One of the most effective ways to reduce this risk is by restricting access to Zendesk to specific IP addresses using Conditional Access policies, ensuring that only users on approved networks can log in.

This guide walks through how to implement IP-based access controls for Zendesk and how this approach strengthens your overall security posture.

Why restrict Zendesk access by IP address?

Restricting access to Zendesk helps prevent unauthorized logins even if credentials are compromised.

Key benefits:

• Reduces risk of credential-based attacks (phishing, password reuse)
• Limits access to trusted networks only
• Protects sensitive customer and support data
• Supports compliance and audit requirements

For organizations with remote or hybrid teams, combining IP restrictions with additional controls (like Zero Trust policies) is essential.

Step-by-step: How to restrict Zendesk access to specific IP addresses

Prerequisites

Before proceeding, confirm the following are in place:

• Microsoft Entra ID P1 or P2 license — required for Conditional Access.
• Conditional Access Administrator role or higher in Microsoft Entra ID.
• Zendesk enterprise app (SAML SSO) registered in your Entra ID tenant with the SAML configuration saved in Zendesk Admin Center and SSO assigned to team members or end users.
• ‍SSO set to Redirect to SSO only in Zendesk — under Security > Team member authentication (or End user authentication), the authentication mode must be set to
  Redirect to SSO only. If Let them choose is selected, users can bypass Entra ID by signing in with Zendesk credentials directly.
• Security Defaults disabled — Security Defaults and Conditional Access cannot run simultaneously.
• Known static IP address — the public IP address or CIDR range of each approved location.
• Break-glass admin account — must be excluded from this policy to prevent administrative lockout.

Important: If your approved IP address is dynamic, this approach will not work reliably. You must use a static IP before implementing IP-based Conditional Access.

Step 1: Create a Named Location your trusted IP(s)

A Named Location defines the trusted IP addresses that Entra ID will reference as a condition in the policy.

1. Sign in to the Microsoft Entra admin center at entra.microsoft.com.
2. Navigate to Protection > Conditional Access > Named locations.
3. Select + IP ranges location.
4. Name the location — for example: Trusted - Corporate Office Field / Setting
5. Check the Mark as trusted location checkbox.
6. Click + and enter your approved IP address or CIDR range. Examples:
   
   • Single IP address: 203.0.113.10/32
   • IP range (CIDR): 203.0.113.0/24
   • Multiple sites: Create a separate Named Location for each site, then reference all of them in the policy.
7. Click Create.

Step 2: Create the conditional access policy

Create a policy that blocks Zendesk access from any location not on your trusted list.

1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
2. Select + New policy.
3. Name the policy — for example: Block Zendesk - Outside Trusted IPs

Assignments: Users

1. Under Assignments > Users, select All users.
2. Under Exclude, add your break-glass admin account.

Assignments: Target Resources

1. Under Target Resources, select Cloud apps > Select apps.
2. Search for and select Zendesk.

Conditions: Locations

1. Under Conditions > Locations, set Configure to Yes.
2. Under Include, select Any location.
3. Under Exclude, select Selected locations, then choose your Named Location from Step 1.

TIP: This configuration reads: apply this policy to sign-ins from any location, except the trusted named location. Any Zendesk sign-in originating outside the trusted IP will be blocked before Entra ID issues a SAML assertion to Zendesk.

Access Controls: Grant

1. Under Access Controls > Grant, select Block access.
2. Click Select to confirm.

Enable Policy

1. Set Enable policy to Report-only.
2. Click Create.

IMPORTANT: Do not set this policy to On immediately. A block policy applied to All users that is misconfigured will lock all users out of Zendesk instantly. Always validate in Report-only mode first.

Step 3: Validate the policy

Before enabling enforcement, confirm the policy is evaluating sign-ins correctly.

1. In the Entra admin center, navigate to Identity > Monitoring & health > Sign-in logs.
2. Filter by the Zendesk application.
3. Open a sign-in from a user on your trusted IP and confirm the Conditional Access tab shows Would succeed.
4. If available, review a sign-in from an untrusted IP and confirm it shows Would fail with the location condition listed as the reason.
5. Investigate any unexpected Would fail entries for users on trusted IPs — this typically indicates the network is presenting a different egress IP than what is entered in the Named Location.  

TIP: Use the What If tool under Protection > Conditional Access to simulate how a specific user signing in from a specific IP would be evaluated without waiting for a real sign-in event.

Step 4: Enable the policy

1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
2. Select the policy created in Step 2.
3. Change Enable policy from Report-only to On.
4. Click Save.

From this point forward, any Zendesk sign-in attempt from an IP address not included in your Named Location will be blocked. Entra ID will not issue a SAML assertion to Zendesk, and the user will be denied access at the identity provider level.  

NOTE: Users who are already signed in to Zendesk when the policy is enabled will not be immediately signed out. The block takes effect on the next sign-in or token refresh, typically within one hour.  

Confirm that Redirect to SSO only is active in Zendesk under Security > Team member authentication to prevent users from bypassing Entra ID using Zendesk credentials directly.

Summary

The following summarizes the full configuration process:

Prerequisites
Confirm license, Zendesk SAML SSO configured, SSO set to Redirect to SSO only for team members, Security Defaults disabled, static IP(s) identified.

Step 1
Create a Named Location with your trusted IP address(es) in Entra ID.

Step 2
Create a CA policy targeting Zendesk, excluding the Named Location, with Block access.

Step 3
Validate in Report-only mode using sign-in logs and the What If tool.

Step 4
Switch Enable policy to On.

FAQs

Can Zendesk restrict access by IP address natively?

Zendesk has limited native IP restriction capabilities. Most organizations implement IP-based access control using an identity provider like Microsoft Entra ID with Conditional Access.

What happens if a user logs in from an unapproved IP address?

The Conditional Access policy will block access, preventing login unless the user connects from a trusted network or meets defined conditions.

How do you secure Zendesk for remote teams?

Use a combination of:

• VPN access with approved IP ranges
• Multi-factor authentication (MFA)
• Conditional Access policies
• Endpoint security controls

Is IP restriction enough to secure Zendesk?

No. IP restrictions should still be combined with:

• MFA
• Least privilege access
• Device control
• Zero Trust enforcement

Can attackers bypass IP restrictions?

Attackers may attempt to use compromised VPNs or proxies. This is why IP restrictions should be layered with additional controls like device validation and application control.