This guide explains how to use Named Locations and Conditional Access policies in Entra ID to require that end users have Service Tunnel for authenticating to specific SaaS application(s). In the steps below, we use Office 365 as the example application.
1.1 Register a Service Tunnel for Public Domains.
1.2 Configure the Service Tunnel to include the Azure portal domains used for authentication:
login.microsoftonline.com
aadcdn.msftauth.net
aadcdn.msftauthimages.net
aadcdn.msauthimages.net
logincdn.msftauth.net
login.live.com
msauth.net
aadcdn.microsoftonline-p.com
microsoftonline-p.com
AND/OR
The public IPv4 ranges listed in ID 56 for Microsoft 365 Common and Office Online:
20.20.32.0/19, 20.190.128.0/18, 20.231.128.0/19, 40.126.0.0/18
The domains and IP ranges above cover Entra/Microsoft 365 authentication only. They are sufficient for basic IP allowlisting of sign-in. If you also use Continuous Access Evaluation, see Continuous Access Evaluation (CAE) below, because CAE requires additional resource-service endpoints to be routed through the Service Tunnel.
These domains and IP ranges change regularly. For the authoritative, current values, use the Microsoft 365 IP Address and URL web service at https://endpoints.office.com/endpoints/worldwide (see Microsoft 365 IP Address and URL web service), or consult Microsoft 365 URLs and IP address ranges. Do not forward all Microsoft 365 endpoints through CSE; route only the authentication endpoints above, plus any resource endpoints required for CAE.
2.1 In the Microsoft Entra admin center, navigate from Protection > Conditional Access > Named locations, and select + IP ranges location.
2.2 Enter a name (e.g., Service Tunnel) and the IP address(es) of the relevant Access Tiers.
3.1 Navigate from Entra admin center > Protection > Conditional Access > Policies, and select Create new policy.
3.2 Enter a name for the policy and include the following configurations:
Assignments:
Conditions:
Access Controls:
3.3 Enable the policy, and Save.
If the user DOES NOT have the Service Tunnel connection established, the user will receive an error message indicating that they cannot access the resource (see below). The user(s) must have the relevant Service Tunnel connection established in order to access the resource (e.g., Office 365).
Continuous Access Evaluation lets Microsoft enforce Conditional Access location (IP) policies in near real time. With CAE, the resource services — Exchange Online, SharePoint Online, and Microsoft Teams — evaluate the IP location policy themselves and reject a token (via a claim challenge) when the request arrives from a non-allowed IP.
This has a direct consequence for CSE IP allowlisting: the trusted IP (the CSE Access Tier egress) must be seen by both Microsoft Entra and the resource provider. The authentication endpoints in Step 1 are not sufficient on their own. You must also route the resource-service traffic through the Service Tunnel so that Exchange Online, SharePoint Online, and Teams see the Access Tier egress IP.
In addition to the authentication endpoints in Step 1, include the resource endpoints for the services you protect. Pull the current values from the Microsoft 365 IP Address and URL web service; the relevant service areas are:
outlook.office.com, outlook.office365.com).*.sharepoint.com, <tenant>-my.sharepoint.com).teams.microsoft.com).Important: Do not forward the entire Microsoft 365 endpoint list through CSE. Route only the authentication endpoints plus the resource endpoints for the services you are protecting.
Based on Microsoft's current CAE behavior:
For full guidance, see Microsoft's Continuous access evaluation and network assignment documentation.