Use IP Allowlisting to enforce zero trust policies for specific SaaS Applications integrated with Entra ID

Use Named Locations and Conditional Access policies in Azure AD to ensure use of a Service Tunnel when authenticating to a SaaS Application like O365
Updated On: Jun 24, 2026

Overview

This guide explains how to use Named Locations and Conditional Access policies in Entra ID to require that end users have Service Tunnel for authenticating to specific SaaS application(s). In the steps below, we use Office 365 as the example application.

Steps

Step 1: Register a Service Tunnel for Public Domains

1.1 Register a Service Tunnel for Public Domains.

1.2 Configure the Service Tunnel to include the Azure portal domains used for authentication:

login.microsoftonline.com aadcdn.msftauth.net aadcdn.msftauthimages.net aadcdn.msauthimages.net logincdn.msftauth.net login.live.com msauth.net aadcdn.microsoftonline-p.com microsoftonline-p.com

AND/OR

The public IPv4 ranges listed in ID 56 for Microsoft 365 Common and Office Online:

20.20.32.0/19, 20.190.128.0/18, 20.231.128.0/19, 40.126.0.0/18

The domains and IP ranges above cover Entra/Microsoft 365 authentication only. They are sufficient for basic IP allowlisting of sign-in. If you also use Continuous Access Evaluation, see Continuous Access Evaluation (CAE) below, because CAE requires additional resource-service endpoints to be routed through the Service Tunnel.

These domains and IP ranges change regularly. For the authoritative, current values, use the Microsoft 365 IP Address and URL web service at https://endpoints.office.com/endpoints/worldwide (see Microsoft 365 IP Address and URL web service), or consult Microsoft 365 URLs and IP address ranges. Do not forward all Microsoft 365 endpoints through CSE; route only the authentication endpoints above, plus any resource endpoints required for CAE.

Step 2: Create a named location to use in a Conditional Access policy

2.1 In the Microsoft Entra admin center, navigate from Protection > Conditional Access > Named locations, and select + IP ranges location.

2.2 Enter a name (e.g., Service Tunnel) and the IP address(es) of the relevant Access Tiers.

Step 3: Create a Conditional Access policy and assign the location condition

3.1 Navigate from Entra admin center > Protection > Conditional Access > Policies, and select Create new policy.

3.2 Enter a name for the policy and include the following configurations:

  • Assignments:

    • Cloud apps or actions - Select the relevant application(s) that you want to require a Service Tunnel to be registered for before authenticating to specific SaaS application(s) (e.g., Office 365).
  • Conditions:

    • Locations - Set Configure to Yes, and Exclude the location(s) defined in Step 2.
  • Access Controls:

    • Grant - Set to Block access.

3.3 Enable the policy, and Save.

Expected Behaviour

If the user DOES NOT have the Service Tunnel connection established, the user will receive an error message indicating that they cannot access the resource (see below). The user(s) must have the relevant Service Tunnel connection established in order to access the resource (e.g., Office 365).

Continuous Access Evaluation (CAE) #

Continuous Access Evaluation lets Microsoft enforce Conditional Access location (IP) policies in near real time. With CAE, the resource services — Exchange Online, SharePoint Online, and Microsoft Teams — evaluate the IP location policy themselves and reject a token (via a claim challenge) when the request arrives from a non-allowed IP.

This has a direct consequence for CSE IP allowlisting: the trusted IP (the CSE Access Tier egress) must be seen by both Microsoft Entra and the resource provider. The authentication endpoints in Step 1 are not sufficient on their own. You must also route the resource-service traffic through the Service Tunnel so that Exchange Online, SharePoint Online, and Teams see the Access Tier egress IP.

Additional endpoints to route through the Service Tunnel

In addition to the authentication endpoints in Step 1, include the resource endpoints for the services you protect. Pull the current values from the Microsoft 365 IP Address and URL web service; the relevant service areas are:

  • Exchange Online (for example, outlook.office.com, outlook.office365.com).
  • SharePoint Online and OneDrive (for example, *.sharepoint.com, <tenant>-my.sharepoint.com).
  • Microsoft Teams (for example, teams.microsoft.com).

Important: Do not forward the entire Microsoft 365 endpoint list through CSE. Route only the authentication endpoints plus the resource endpoints for the services you are protecting.

Requirements and limitations

Based on Microsoft's current CAE behavior:

  • Use the IP-based Conditional Access location condition. CAE does not enforce country/region locations or the legacy MFA Trusted IPs feature in real time.
  • Include both IPv4 and IPv6 egress addresses that Entra and the resource providers can see. A missing address family causes intermittent blocks.
  • Egress IPs should be dedicated and enumerable. If resource-provider egress IPs are shared or non-enumerable, Microsoft advises against adding them to a trusted location, and CAE falls back to a one-hour token rather than instant enforcement.
  • If the total of all IP ranges in your location policies exceeds 5,000, CAE cannot enforce location changes in real time and issues a one-hour token instead.
  • The Teams calls and chat services do not honor IP-based Conditional Access policies.

For full guidance, see Microsoft's Continuous access evaluation and network assignment documentation.