Businesses of all sizes use QuickBooks Online to streamline their financial processes and simplify accounting tasks. For many companies, their QuickBooks Online account holds payroll data, contract information, tax records, and banking details.
Because of this, controlling access to the platform is of the utmost importance.
This article explains the available options for managing access controls and IP restrictions within QuickBooks Online's current capabilities.
How to manage access controls and IP restrictions for QuickBooks Online
QuickBooks Online (QBO) does not support SAML 2.0 or OIDC-based single sign-on with external identity providers such as Microsoft Entra ID. This is a platform limitation set by Intuit, the developer of QuickBooks Online, and it means that the Conditional Access approach used for other applications cannot be directly applied to QuickBooks Online.
Users must authenticate to QuickBooks Online using one of the following methods, none of which are controlled by Entra ID:
- Intuit account credentials (email and password)
- Sign in with Google (via Google OAuth)
IMPORTANT: Because QuickBooks Online does not route authentication through Entra ID, Microsoft Entra ID Conditional Access policies cannot enforce IP restrictions, MFA requirements, or device compliance for QuickBooks Online sign-ins. This is a QuickBooks Online platform limitation, not a configuration gap. No workaround exists that achieves true SAML SSO with Entra ID as the identity provider for QuickBooks Online at this time.
What is available for access control
While full Entra ID Conditional Access integration is not possible, the following options are available for organizations that need to control access to QuickBooks Online.
Option 1: QuickBooks Online Advanced — Invite-based user management
QuickBooks Online Advanced (the highest-tier plan) offers enhanced user management controls, including the ability to restrict who can be invited to the account and manage user roles. While this does not provide IP-based restrictions, it does allow tighter control over which accounts have access.
- Limit user access by role (e.g., read-only vs. full access).
- Remove users promptly through Admin > Manage Users to prevent access from former employees.
- Enable two-step verification for all users under Security settings.
Option 2: Network-level IP restriction (firewall / DNS filtering)
For organizations that need to restrict QuickBooks Online to specific networks, IP-based access controls can be enforced at the network layer rather than the identity layer. This approach blocks access to QuickBooks Online URLs from devices outside approved networks using a firewall, proxy, or DNS filtering solution.
The primary QuickBooks Online domain to restrict is: app.qbo.intuit.com
NOTE: Network-level restrictions apply to all traffic from the network, not to specific users. A user working from a location outside the restricted network (such as working from home) would not be subject to the restriction. This approach is most effective for organizations that require users to access QuickBooks Online only from managed office networks.
Option 3: Password vaulting via Okta or similar IdP (SWA)
Some identity providers, including Okta, support Secure Web Authentication (SWA) for applications that do not support SAML. SWA stores and injects the user's QuickBooks Online username and password, providing a single sign-on experience through the IdP portal without requiring SAML support from the application.
- Users access QuickBooks Online through the Okta or similar IdP dashboard.
- The IdP handles credential injection. Users do not need to remember or manage their QBO password directly.
- IP restrictions and MFA can be enforced at the IdP level, covering the login to the IdP itself.
NOTE: SWA is not true SAML SSO. It is password vaulting — the user's Intuit credentials are still used to authenticate to QBO, they are simply managed and injected by the IdP. This means Entra ID Conditional Access still cannot enforce policies directly against the QBO authentication event. SWA through a third-party IdP like Okta would need to be evaluated separately.
Options summary
The following table summarizes the available access control options for QuickBooks
Entra ID CA policy
Not supported. QuickBooks Online does not support SAML or OIDC with external IdPs. Entra ID cannot enforce IP restrictions or MFA for QBO sign-ins.
User management (QBO)
Available on all plans. Control who has access via invite-based user management and role assignments within QuickBooks Online.
Network-level blocking
Restrict access to app.qbo.intuit.com at the firewall or DNS layer. Applies to the entire network rather than individual users.
SWA via third-party IdP
Available through platforms like Okta using Secure Web Authentication. Provides IdP-level MFA and IP controls, but is password vaulting — not true SAML SSO.
Intuit feedback
Submit a feature request for SAML/enterprise SSO support through the QuickBooks Online feedback portal.
FAQ
Can I use Entra ID Conditional Access to restrict QuickBooks Online access by IP?
No. QuickBooks Online does not support SAML or OIDC integration with Entra ID, so Conditional Access policies cannot be applied.
Why doesn’t Conditional Access work with QuickBooks Online?
Because authentication is handled directly by Intuit (or Google OAuth), not by Entra ID. Since Entra ID is not in the authentication flow, it cannot enforce policies.
What are my options for restricting access?
You have three main options:
- Manage users and roles within QuickBooks Online
- Restrict access at the network level (firewall or DNS filtering)
- Use Secure Web Authentication (SWA) via a third-party IdP like Okta
Can I restrict access by IP using a firewall or DNS filtering?
Yes. You can block access to QuickBooks Online (e.g., app.qbo.intuit.com) outside of approved networks. However, this applies to entire networks—not individual users.
What is Secure Web Authentication (SWA)?
SWA is a method where an identity provider stores and injects user credentials to simulate SSO. It allows enforcement of MFA and IP restrictions at the IdP login stage, but it is not true SAML SSO.
Does SWA allow Entra ID Conditional Access to control QuickBooks access?
No. Even with SWA, authentication to QuickBooks still uses Intuit credentials. Conditional Access applies only to the IdP login, not to the QuickBooks session itself.
Can I enforce MFA for QuickBooks Online users?
Yes, but only through QuickBooks’ native security settings or via the IdP (if using SWA). Entra ID cannot enforce MFA for QBO directly.
Is there any way to fully integrate QuickBooks Online with Entra ID?
No. There is currently no supported method for true SAML or OIDC integration with Entra ID.
What is the best approach for securing QuickBooks Online today?
A layered approach:
- Enable QuickBooks-native MFA
- Restrict access via network controls if possible
- Use strict user lifecycle management
- Consider SWA through a third-party IdP for additional control
Will this limitation change in the future?Possibly. You can submit feature requests to Intuit for SAML or enterprise SSO support, but currently no native support exists.
