Contact us
833-292-7732
BACK TO BLOGS Back to Press Releases
March 9, 2026

How to restrict Zoom access to specific IP addresses using Conditional Access

Written by:

No items found.

Zoom is a core tool for many businesses, and because it is cloud-based and accessible from many devices, it comes with any security risks.  

Unauthorized Zoom access can lead to the exposure of sensitive data, hijacking meetings, or the compromise of internal conversations.

Restricting Zoom access to specific IP addresses can reduce these risks and ensure that only approved users on trusted networks are able to sign in.  

This guide will walk you through restricting Zoom access to one or more approved IP addresses using Conditional Access in Microsoft Entra ID.  

Why you should restrict Zoom access by IP address

Restricting Zoom access by IP address helps limit exposure and prevent unauthorized use of one or more of your organization’s accounts.  

It prevents unauthorized logins from unknown locations, so even if credentials are compromised, attackers will not gain access to Zoom if they are outside an approved network.

Limiting access also helps protect internal meetings, recordings, and shared content that may contain proprietary information.  

It also strengthens your SaaS security posture when layered with additional multi-factor authentication and Zero Trust controls, and support compliance frameworks and regulations.  

For remote and hybrid environments, this is especially crucial to maintain access control.

Step-by-step guide: Restrict Zoom access to specific IP addresses using Conditional Access

When Entra ID is configured as the identity provider for Zoom via SAML SSO, Conditional Access policies are evaluated at sign-in time, blocking access from any IP not on your approved list before a SAML assertion is issued to Zoom.  

The approach uses two components working together:  

Named Locations — a saved list of trusted IP addresses or CIDR ranges defined in Entra ID.  

Conditional Access policy — a policy that blocks Zoom sign-ins originating from any IP not on the trusted list.  

IMPORTANT: Zoom requires an approved Vanity URL before SSO can be configured. The Vanity URL (e.g., yourcompany.zoom.us) is the domain-specific login endpoint that enables SSO enforcement by email domain. SSO configuration is not available in the Zoom admin portal until the Vanity URL has been requested and approved by Zoom. Confirm this is in place before proceeding.  

NOTE: The Zoom account owner can always bypass SSO enforcement by design. This is a Zoom platform limitation and cannot be disabled. The owner account uses email and password login regardless of SSO policy. For all other users, SSO can be required by email domain as described in this article.

Prerequisites

Before proceeding, confirm the following are in place:

  • Microsoft Entra ID P1 or P2 license — required for Conditional Access.
  • Conditional Access Administrator role or higher in Microsoft Entra ID.
  • Zoom enterprise app (SAML SSO) registered in your Entra ID tenant with the SAML configuration saved in the Zoom admin portal under Advanced > Single Sign On.
  • Approved Zoom Vanity URL — required for SSO domain enforcement. Submit a request through the Zoom admin portal if not yet approved.
  • SSO enforcement enabled by domain in Zoom — under Advanced > Security > Sign-in Methods, Require users to sign in with SSO must be enabled for your email domain. Without this, users can sign in with email and password, bypassing Entra ID.
  • Security Defaults disabled — Security Defaults and Conditional Access cannot run simultaneously.
  • Known static IP address — the public IP address or CIDR range of each approved location.
  • Break-glass admin account — must be excluded from this policy to prevent administrative lockout.

IMPORTANT: If your approved IP address is dynamic, this approach will not work reliably. You must use a static IP before implementing IP-based Conditional Access.

Step 1: Create a Named Location for your trusted IP(s)

A Named Location defines the trusted IP addresses that Entra ID will reference as a condition in the policy.

  1. Sign in to the Microsoft Entra admin center at entra.microsoft.com.
  2. Navigate to Protection > Conditional Access > Named locations.
  3. Select + IP ranges location.
  4. Name the location — for example: Trusted - Corporate Office
  5. Check the Mark as trusted location checkbox.
  6. Click + and enter your approved IP address or CIDR range.
    • Examples:
      • Single IP address: 203.0.113.10/32
      • IP range (CIDR): 203.0.113.0/24
      • Multiple sites: Create a separate Named Location for each site, then reference all of them in the policy.
  7. Click Create.

Step 2: Create the Conditional Access policy

Create a policy that blocks Zoom access from any location not on your trusted list.

  1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
  2. Select + New policy.
  3. Name the policy — for example: Block Zoom - Outside Trusted IPs

Assignments: Users

  1. Under Assignments > Users, select All users.
  2. Under Exclude, add your break-glass admin account.

NOTE: The Zoom account owner cannot be forced through SSO regardless of Conditional Access policy. Their sign-ins will use email and password and will not appear in Entra ID sign-in logs for the Zoom application.

Assignments: Target Resources

  1. Under Target Resources, select Cloud apps > Select apps.
  2. Search for and select Zoom.

Conditions: Locations

  1. Under Conditions > Locations, set Configure to Yes.
  2. Under Include, select Any location.
  3. Under Exclude, select Selected locations, then choose your Named Location from Step 1.

TIP: This configuration reads: apply this policy to sign-ins from any location, except the trusted named location. Any Zoom sign-in originating outside the trusted IP will be blocked before Entra ID issues a SAML assertion to Zoom.

Access Controls: Grant

  1. Under Access Controls > Grant, select Block access.
  2. Click Select to confirm.

Enable Policy

  1. Set Enable policy to Report-only.
  2. Click Create.

IMPORTANT: Do not set this policy to On immediately. A block policy applied to All users that is misconfigured will lock all users out of Zoom instantly. Always validate in Report-only mode first.

Step 3: Validate the policy

Before enabling enforcement, confirm the policy is evaluating sign-ins correctly.

  1. In the Entra admin center, navigate to Identity > Monitoring & health > Sign-in logs.
  2. Filter by the Zoom application.
  3. Open a sign-in from a user on your trusted IP and confirm the Conditional Access tab shows Would succeed.
  4. If available, review a sign-in from an untrusted IP and confirm it shows Would fail with the location condition listed as the reason.
  5. Investigate any unexpected Would fail entries for users on trusted IPs — this typically indicates the network is presenting a different egress IP than what is entered in the Named Location.

TIP: Use the What If tool under Protection > Conditional Access to simulate how a specific user signing in from a specific IP would be evaluated without waiting for a real sign-in event.

Step 4: Enable the policy

  1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
  2. Select the policy created in Step 2.
  3. Change Enable policy from Report-only to On.
  4. Click Save.

From this point forward, any Zoom sign-in via SSO from an IP address not included in your Named Location will be blocked. Entra ID will not issue a SAML assertion to Zoom, and the user will be denied access at the identity provider level.

NOTE: Users who are already signed in to Zoom when the policy is enabled will not be immediately signed out. The block takes effect on the next sign-in or token refresh. Confirm that SSO is enforced by domain in Zoom under Advanced > Security > Sign-in Methods to prevent users from bypassing Entra ID using Zoom email and password credentials. The Zoom account owner will continue to be able to sign in with email and password by design.

Summary

Prerequisites

Confirm license, Vanity URL approved, Zoom SAML SSO configured, SSO enforced by domain under Advanced > Security, Security Defaults disabled, static IP(s) identified.

Step 1

Create a Named Location with your trusted IP address(es) in Entra ID.

Step 2

Create a CA policy targeting Zoom, excluding the Named Location, with Block access.

Step 3

Validate in Report-only mode using sign-in logs and the What If tool.

Step 4

Switch Enable policy to On.

FAQs

Can you restrict Zoom access by IP address natively?

Zoom offers some controls, but IP-based restrictions are best enforced through an identity provider like Microsoft Entra ID using Conditional Access policies.

What happens if a user tries to log in from an unapproved IP address?

The login will be blocked unless the user connects from an approved network.

How can you secure Zoom for remote or hybrid teams?

To ensure secure access without disruptions, combine:

  • Multi-factor authentication
  • VPN access with trusted IP ranges
  • Conditional Access policies
  • Endpoint and application control

Can attackers bypass IP-based restrictions?

Yes, attackers can attempt to compromise VPNs or proxy services. IP restrictions should be layered with identity verification, device control, and continuous monitoring.

Start your path to stronger defenses

Start your trial

Try ThreatLocker free for 30 days and experience full Zero Trust protection in your own environment.

Start free trial

Book a demo

Schedule a customized demo and explore how ThreatLocker aligns with your security goals.

Book a demo

Ask an expert

Just starting to explore our platform? Find out what ThreatLocker is, how it works, and how it’s different.

Request information