Contact us
833-292-7732
BACK TO BLOGS Back to Press Releases
March 17, 2026

Restrict Box Access to a Specific IP Address Using Conditional Access

Written by:

This article walks through restricting Box access to one or more approved IP addresses using Conditional Access in Microsoft Entra ID.  

This is commonly used to prevent Box from being accessed outside of the corporate network or VPN, reducing the risk of unauthorized file access or data exfiltration from personal devices on untrusted networks.

The approach uses two components working together:

  • Named Locations — a saved list of trusted IP addresses or CIDR ranges defined in Entra ID.
  • Conditional Access policy — a policy that blocks Box sign-ins originating from any IP not on the trusted list.

NOTE: This configuration requires Box to be integrated with Microsoft Entra ID via SAML SSO. If SSO is not yet configured, complete that setup first before proceeding. Refer to the Box SSO KB article for setup instructions.

NOTE: Box also has its own IP restriction settings in the Box Admin Console (Enterprise Settings > Security). Entra ID Conditional Access and Box's native IP restrictions can be used independently or together. This guide covers the Entra ID approach, which is recommended as the primary control since it enforces restrictions at the identity provider level — before authentication reaches Box.

Why restrict Box access by IP address

Restricting Box access by IP address is a key control for protecting organizational data stored in cloud file-sharing platforms.

Key benefits include:

  • Prevent unauthorized file access
    Block sign-ins from untrusted networks where credentials may be compromised.
  • Reduce risk of data exfiltration
    Ensure sensitive files are only accessed from secure, approved environments.
  • Control access from unmanaged or personal devices
    Limit usage to corporate networks or VPN connections.
  • Strengthen identity security with location-based enforcement
    Add an additional layer beyond standard authentication methods.
  • Align with security and compliance requirements
    Many frameworks require restricting access to sensitive data by network location.

As described in the document, this approach ensures Box is only accessible from trusted networks, helping reduce the risk of unauthorized file access or data exfiltration from untrusted environments

Step-by-step: How to restrict Box access to a specific IP address using Conditional Access

Prerequisites
Before proceeding, confirm the following are in place:

  • Microsoft Entra ID P1 or P2 license — required for Conditional Access.
  • Conditional Access Administrator role or higher in Microsoft Entra ID.
  • Box enterprise app (SAML SSO) registered in your Entra ID tenant with SSO configured and SSO Required enabled in Box.
  • Security Defaults disabled — Security Defaults and Conditional Access cannot run simultaneously.
  • Known static IP address — the public IP address or CIDR range of each approved location.
  • Break-glass admin account — must be excluded from this policy to prevent administrative lockout.

IMPORTANT: If SSO Required is not enabled in Box, users can bypass Entra ID entirely and sign in with a Box username and password directly — making the Conditional Access policy ineffective. Confirm SSO Required is active in Box before relying on this policy.


Step 1: Create a Named Location for your trusted IP(s)

A Named Location defines the trusted IP addresses that Entra ID will use as a condition in the policy.

  1. Sign in to the Microsoft Entra admin center at entra.microsoft.com.
  2. Navigate to Protection > Conditional Access > Named locations.
  3. Select + IP ranges location.
  4. Name the location — for example:
    Trusted - Corporate Office
  5. Check the Mark as trusted location checkbox.
  6. Click + and enter your approved IP address or CIDR range. Examples:
Field / Setting
Single IP address
Value / Notes
203.0.113.10/32
Field / Setting
IP range (CIDR)
Value / Notes
203.0.113.0/24
Field / Setting
Multiple sites
Value / Notes
Create a separate Named Location for each site then reference all of them in the policy.
Field / Setting Value / Notes
Single IP address 203.0.113.10/32
IP range (CIDR) 203.0.113.0/24
Multiple sites Create a separate Named Location for each site then reference all of them in the policy.
  1. Click create.

Step 2: Create the Conditional Access policy

Create a policy that blocks Box access from any location not on your trusted list.

  1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
  2. Select + New policy.
  3. Name the policy — for example:
    Block Box - Outside Trusted IPs

Assignments: Users

  1. Under Assignments > Users, select All users.
  2. Under Exclude, add your break-glass admin account.

Assignments: Target Resources 

  1. Under Target Resources, select Cloud apps > Select apps.
  2. Search for and select Box.

Conditions: Locations

  1. Under Conditions > Locations, set Configure to Yes.
  2. Under Include, select Any location.
  3. Under Exclude, select Selected locations, then choose your Named Location from Step 1.

TIP: This configuration reads: apply this policy to sign-ins from any location, except the trusted named location. Any Box sign-in originating outside the trusted IP will be blocked before Entra ID issues a SAML assertion to Box.

Access Controls: Grant  

  1. Under Access Controls > Grant, select Block access.
  2. Click Select to confirm.

Enable policy  

  1. Set Enable policy to Report-only.
  2. Click Create.

IMPORTANT: Do not set this policy to On immediately. A block policy applied to All users that is misconfigured will lock all users out of Box instantly. Validate in Report-only mode first.  

Step 3: Validate the policy

Before enabling enforcement, confirm the policy is evaluating sign-ins correctly.

  1. In the Entra admin center, navigate to Identity > Monitoring & health > Sign-in logs.
  2. Filter by the Box application.
  3. Open a sign-in from a user on your trusted IP and confirm the Conditional Access tab shows Would succeed.
  4. If available, review a sign-in from an untrusted IP and confirm it shows Would fail with the location condition as the reason.
  5. Investigate any unexpected Would fail entries for users on trusted IPs — this typically indicates the office or VPN is presenting a different egress IP than what is entered in the Named Location.

TIP: Use the What If tool under Protection > Conditional Access to simulate how a specific user signing in from a specific IP would be evaluated without waiting for a real sign-in event.

Step 4: Enable the policy

  1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
  2. Select the policy created in Step 2.
  3. Change Enable policy from Report-only to On.
  4. Click Save.

From this point forward, any Box sign-in attempt from an IP address not included in your Named Location will be blocked. Entra ID will not issue a SAML assertion to Box, and the user will be denied access at the identity provider level before reaching Box.

NOTE: Users who are already signed in to Box when the policy is enabled will not be immediately signed out. The block takes effect on the next sign-in or token refresh, typically within 1 hour.

Summary

The following summarizes the full configuration process:

Prerequisites

Confirm license, Box SAML SSO configured with SSO Required enabled, Security Defaults disabled, static IP(s) identified  

Step 1

Create a Named Location with your trusted IP address(es)

Step 2

Create a CA policy targeting Box, excluding the Named Location, with Block access  

Step 3  

Validate in Report-only mode using sign-in logs and the What If tool

Step 4  

Switch Enable policy to On

FAQs

Does this block all access to Box from untrusted IPs?
It blocks SAML-based authentication through Entra ID. However, if SSO Required is not enabled in Box, users may still sign in directly using a Box username and password, bypassing Conditional Access.

What happens if SSO Required is not enabled in Box?
Users can bypass Entra ID entirely and authenticate directly with Box credentials, making the Conditional Access policy ineffective. SSO Required must be enabled for full enforcement.

Can this work with dynamic IP addresses?
No. This configuration requires static IP addresses. Dynamic IPs will result in inconsistent or unreliable enforcement.

Should I also configure IP restrictions in Box?
Yes, optionally. Box has native IP restriction settings in the Admin Console. These can be used alongside Entra ID Conditional Access for additional defense-in-depth.

What is a Named Location?
A Named Location is a list of trusted IP addresses or CIDR ranges defined in Microsoft Entra ID. It is used as a condition within Conditional Access policies.

Why should I use Report-only mode first?
Report-only mode allows you to validate the policy behavior before enforcing it, helping prevent accidental lockouts.

Do I need to exclude any accounts?
Yes. Always exclude a break-glass (emergency) admin account to prevent administrative lockout.

Will this immediately sign users out of Box?
No. Existing sessions are not terminated immediately. The policy takes effect on the next sign-in or token refresh, typically within about one hour.

What happens if the policy is misconfigured and enabled?
Because the policy targets all users, a misconfiguration can lock all users out of Box. This is why validation in Report-only mode is critical before enabling.

No items found.

Start your path to stronger defenses

Start your trial

Try ThreatLocker free for 30 days and experience full Zero Trust protection in your own environment.

Start free trial

Book a demo

Schedule a customized demo and explore how ThreatLocker aligns with your security goals.

Book a demo

Ask an expert

Just starting to explore our platform? Find out what ThreatLocker is, how it works, and how it’s different.

Request information