Restrict Box Access to a Specific IP Address Using Conditional Access

Overview

This article walks through restricting Box access to one or more approved IP addresses 
using Conditional Access in Microsoft Entra ID. This is commonly used to prevent Box from 
being accessed outside of the corporate network or VPN, reducing the risk of unauthorized 
file access or data exfiltration from personal devices on untrusted networks..

The approach uses two components working together: 

• Named Locations:  A saved list of trusted IP addresses or CIDR ranges defined in 
  Entra ID. 
• Conditional Access policy:  A policy that blocks Box sign-ins originating from 
  any IP not on the trusted list. 

Please Note:  This configuration requires Box to be integrated with Microsoft Entra ID via SAML SSO. If SSO is not yet configured, complete that setup first before proceeding. Refer to the Box SSO KB article for setup instructions. 

Please Note: Box also has its own IP restriction settings in the Box Admin Console (Enterprise Settings > Security). Entra ID Conditional Access and Box's native IP restrictions can be used independently or together. This guide 
covers the Entra ID approach, which is recommended as the primary control 
since it enforces restrictions at the identity provider level — before 
authentication reaches Box.

Prerequisites

Before proceeding, confirm the following are in place:

• Microsoft Entra ID P1 or P2 license - required for Conditional Access.
• Conditional Access Administrator role or higher in Microsoft Entra ID.
• Box enterprise app (SAML SSO) registered in your Entra ID tenant with SSO 
  configured and SSO Required enabled in Box. 
• Security Defaults Disabled in Entra ID - Security Defaults and Conditional Access cannot run simultaneously.
• Known static IP address -  the public IP address or CIDR range of each approved location.
• Break-glass admin account -  must be excluded from this policy to prevent administrative lockout.

Important:  If SSO Required is not enabled in Box, users can bypass Entra ID 
entirely and sign in with a Box username and password directly — 
making the Conditional Access policy ineffective. Confirm SSO Required 
is active in Box before relying on this policy. 

Step 1: Create a Named Location for Your Trusted IP(s)

A Named Location defines the trusted IP addresses that Entra ID will reference as a condition in the policy.

1. Sign in to the Microsoft Entra admin center at entra.microsoft.com
2. Navigate to Protection > Conditional Access > Named locations.
3. Select + IP ranges locations.
4. Name the location. For example: Trusted - Corporate Office
5. Check the Mark as trusted location checkbox.
6. Click + and enter your approved IP address or CIDR range. 

7.  Click Create.

Step 2: Create the Conditional Access Policy

Create a policy that blocks Box access from any location not on your trusted list.

1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
2. Select + New policy.
3. Name the policy. For example, Block Box - Outside Trusted IPs

Assignments: Users

1. Under Assignments > Users, select All users.
2. Under Exclude, add your break-glass admin account and any automation or service accounts that authenticate from dynamic IPs.

Assignments: Target Resources

1. Under Target Resources, select Cloud apps > Select apps.
2. Search for and select Box.

Conditions: Locations

1. Under Conditions > Locations, set Configure to Yes.
2. Under Include, select Any location.
3. Under Exclude, select Selected locations, then choose the Named Location you created in Step 1.

Tip: This configuration reads: Apply this policy to sign-ins from any location except the trusted named location. Any Box sign-in originating outside the trusted IP will be blocked before a SAML assertion is issued to Box.

Access Controls: Grant

1. Under Access Controls > Grant, select Block access.
2. Click Select to confirm.

Enable Policy

1. Set Enable policy to Report-only.
2. Click Create.

Important: Do not set this policy to On immediately. A block policy applied to All users that is misconfigured will lock all users out of Box instantly. Always validate in Report-only mode first.

Step 3: Validate the Policy

Before enabling enforcement, confirm the policy is evaluating sign-ins correctly.

1. In the Entra admin center, navigate to Identity > Monitoring & health > Sign-in logs. 
2. Filter by Box.
3. Open a sign-in from a user on your trusted IP and confirm the Conditional Access 
tab shows Would succeed. 
4. If available, review a sign-in from an untrusted IP and confirm it shows Would fail 
with the location condition listed as the reason. 
5. Investigate any unexpected Would fail entries for users on trusted IPs — this 
typically indicates the office or VPN is presenting a different egress IP than what is 
entered in the Named Location.

Tip:  Use the What If tool under Protection > Conditional Access to simulate how a specific user signing in from a specific IP would be evaluated without waiting for a real sign-in event.

Step 4: Enable the Policy

1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
2. Select the policy created in Step 2.
3. Change Enable policy from Report-only to On.
4. Click Save.

From this point forward, any Box sign-in attempt from an IP address not included in your 
Named Location will be blocked. Entra ID will not issue a SAML assertion to Box, and the 
user will be denied access at the identity provider level before reaching Box. 

Please Note: Users who are already signed in to Box when the policy is enabled will not be immediately signed out. The block takes effect on the next sign-in or 
token refresh, typically within 1 hour.

Summary

The following table summarizes the full configuration process.