As part of a ThreatLocker ZTCA deployment, this article outlines how to configure Entra Conditional Access to restrict Microsoft 365 sign-ins to trusted IP addresses.
Access to Microsoft 365 plays a critical role in the day-to-day operations of most organizations, supporting communication, collaboration, and data storage across users and devices.
Because Microsoft 365 services are accessible from anywhere, they are a frequent target for attackers attempting to exploit compromised credentials or session tokens to gain unauthorized access.
By enforcing IP-based restrictions at the identity layer, organizations can limit where sign-ins are allowed to originate, reducing exposure and strengthening overall security posture.
Why you should restrict Microsoft 365 access by IP address
Restricting access to Microsoft 365 by IP address helps reduce the risk of unauthorized access by controlling where authentication requests are allowed to originate.
Key benefits include:
- Block sign-ins from untrusted or unknown networks
- Reduce the impact of compromised credentials
- Ensure users access Microsoft 365 only from approved environments
- Add additional protection alongside MFA
- Support compliance and security requirements
While this significantly reduces risk, IP-based restrictions should always be combined with additional controls such as MFA, Zero Trust enforcement, and identity protections.
Step-by-step: Restricting Microsoft 365 access to specific IP addresses
The approach uses two components working together:
- Named Location: A defined list of trusted IP addresses or ranges
- Conditional Access policy: A policy that blocks sign-ins from any location not in the trusted list
Important limitations and considerations (read first)
Before implementing this configuration, it is important to understand how Conditional Access enforcement works in Microsoft 365.
Conditional Access applies at sign-in and token refresh
Conditional Access policies are evaluated during authentication and periodically during token refresh.
- Access decisions happen at sign-in
- Existing sessions remain active until token expiry or refresh
This means users already signed in may not be immediately blocked when the policy is enabled.
Existing sessions are not immediately terminated
When the policy is turned on:
- Users already authenticated remain signed in
- The restriction takes effect on:
- Next sign-in
- Token refresh cycle
Legacy authentication must be disabled
Some older authentication methods do not support Conditional Access.
IMPORTANT: Ensure legacy authentication is disabled in your tenant.
If left enabled, these methods can bypass Conditional Access policies entirely.
Non-interactive and service access may not be covered
Conditional Access policies primarily apply to interactive user sign-ins.
They do not always apply to:
- Background services
- Automated processes
- Service accounts
- Some integrations
These access paths should be controlled separately using:
- Identity permissions
- Conditional Access (where supported)
- ZTCA network controls
Client and mobile applications rely on token behavior
Applications such as Outlook, Teams, and Mobile apps may continue to function until tokens are refreshed.
Step 1: Create a Named Location
- Sign in to the Microsoft Entra Admin Center
- Navigate to: Protection → Conditional Access → Named locations
- Select + IP ranges location
Configure the location:
- Name: Allowed Office Location
- IP ranges
- Enable Mark as trusted location (optional)
Click Create
Step 2: Create the Conditional Access policy
- Navigate to: Protection → Conditional Access → Policies
- Select + New policy
Policy name: Restrict Microsoft 365 Access to Approved IP
Step 3: Configure users
Under Assignments → Users
Select:
All users (recommended)
OR
Specific user groups
Always exclude a break-glass admin account to prevent lockout.
Step 4: Select target applications
Under Assignments → Target resources:
- Select All cloud apps
This ensures the policy applies across all Microsoft 365 services.
Step 5: Configure location conditions
- Navigate to Conditions → Locations
- Set Configure = Yes
- Include → Any location
- Exclude → Selected locations → Allowed Office Location
This configuration ensures any login from outside the trusted IP is blocked.
Step 6: Configure access controls
- Go to Access controls → Grant
- Select Block access
- Click Select
Step 7: Enable the policy
Under Enable policy, choose:
- Report-only (recommended for testing)
- On (after validation)
Click Create
Always validate in Report only mode first to prevent unintended lockouts.
Additional recommendations for full Zero Trust coverage
To strengthen this configuration:
- Enforce multi-factor authentication (MFA)
- Disable legacy authentication protocols
- Monitor sign-ins and risky behavior
- Apply least privilege access controls
- Combine with:
- ThreatLocker ZTCA enforcement
- Endpoint/device security policies
Summary
This configuration provides identity layer IP restriction for Microsoft 365 sign-ins.
However, full security requires layered controls:
- Conditional Access
- Controls where sign-ins originate
- Authentication policies
- Prevent legacy auth bypass
- Token/session behavior awareness
- Determines when enforcement occurs
- ZTCA network controls
- Provide additional enforcement beyond identity
FAQs
Does this block all access to Microsoft 365 from untrusted IPs?
No. It blocks sign-ins outside approved IPs. Existing sessions and some non-interactive access may continue temporarily.
What happens if legacy authentication is enabled?
Legacy authentication methods may bypass Conditional Access controls. These should be disabled to ensure full enforcement.
Will users be signed out immediately?
No. Existing sessions remain active until token refresh or reauthentication.
Can attackers bypass IP restrictions?
Yes, attackers may attempt to use:
- Compromised VPN infrastructure
- Proxy services
- Active sessions
This is why IP restrictions must be combined with Zero Trust controls.
