Restrict DocuSign Access to a Specific IP Address Using Conditional Access

Overview

This article walks through restricting DocuSign access to one or more approved IP addresses using Conditional Access in Microsoft Entra ID. This is commonly used to prevent DocuSign from being accessed outside of the corporate network or VPN, reducing the risk of unauthorized file access or data exfiltration from personal devices on untrusted networks.

The approach uses two components working together: 

• Named Locations:  A saved list of trusted IP addresses or CIDR ranges defined in 
  Entra ID. 
• Conditional Access policy:  A policy that blocks DocuSign sign-ins originating from 
  any IP not on the trusted list. 

Please Note:  This configuration requires DocuSign to be integrated with Microsoft Entra ID via SAML SSO, and your organization domain must be claimed in DocuSign. If SSO is not yet configured, complete that setup first before proceeding. Refer to the DocuSign SSO KB article for setup instructions. 

Important: DocuSign SSO is enforced at the domain level. Users whose email 
domains are claimed in DocuSign will be redirected through SSO 
automatically. Users with unclaimed domains can still sign in directly 
with a DocuSign username and password, bypassing Entra ID entirely. 
Confirm all user domains are claimed in DocuSign before relying on this 
policy for full coverage.

Prerequisites

Before proceeding, confirm the following are in place:

• Microsoft Entra ID P1 or P2 license - required for Conditional Access.
• Conditional Access Administrator role or higher in Microsoft Entra ID.
• DocuSign enterprise app (SAML SSO) registered in your Entra ID tenant with SSO 
  configured and your organization domain claimed in the DocuSign admin portal
• Security Defaults Disabled in Entra ID - Security Defaults and Conditional Access cannot run simultaneously.
• Known static IP address -  the public IP address or CIDR range of each approved location.
• Break-glass admin account -  must be excluded from this policy to prevent administrative lockout.

Important:  IIf your approved IP address is dynamic, this approach will not work 
reliably. You must use a static IP before implementing IP-based 
Conditional Access. 

Step 1: Create a Named Location for Your Trusted IP(s)

A Named Location defines the trusted IP addresses that Entra ID will reference as a condition in the policy.

1. Sign in to the Microsoft Entra admin center at entra.microsoft.com
2. Navigate to Protection > Conditional Access > Named locations.
3. Select + IP ranges locations.
4. Name the location. For example: Trusted - Corporate Office
5. Check the Mark as trusted location checkbox.
6. Click + and enter your approved IP address or CIDR range. 

7.  Click Create.

Step 2: Create the Conditional Access Policy

Create a policy that blocks DocuSign access from any location not on your trusted list.

1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
2. Select + New policy.
3. Name the policy. For example, Block DocuSign - Outside Trusted IPs

Assignments: Users

1. Under Assignments > Users, select All users.
2. Under Exclude, add your break-glass admin account and any automation or service accounts that authenticate from dynamic IPs.

Assignments: Target Resources

1. Under Target Resources, select Cloud apps > Select apps.
2. Search for and select DocuSign.

Conditions: Locations

1. Under Conditions > Locations, set Configure to Yes.
2. Under Include, select Any location.
3. Under Exclude, select Selected locations, then choose the Named Location you created in Step 1.

Tip: This configuration reads: Apply this policy to sign-ins from any location except the trusted named location. Any DocuSign sign-in originating outside the trusted IP will be blocked before a SAML assertion is issued to DocuSign.

Access Controls: Grant

1. Under Access Controls > Grant, select Block access.
2. Click Select to confirm.

Enable Policy

1. Set Enable policy to Report-only.
2. Click Create.

Important: Do not set this policy to On immediately. A block policy applied to All users that is misconfigured will lock all users out of DocuSign instantly. Always validate in Report-only mode first.

Step 3: Validate the Policy

Before enabling enforcement, confirm the policy is evaluating sign-ins correctly.

1. In the Entra admin center, navigate to Identity > Monitoring & health > Sign-in logs. 
2. Filter by the DocuSign application. 
3. Open a sign-in from a user on your trusted IP and confirm the Conditional Access 
tab shows Would succeed. 
4. If available, review a sign-in from an untrusted IP and confirm it shows Would fail 
with the location condition listed as the reason. 
5. Investigate any unexpected Would fail entries for users on trusted IPs — this 
typically indicates the office or VPN is presenting a different egress IP than what is 
entered in the Named Location.

Tip:  Use the What If tool under Protection > Conditional Access to simulate how a specific user signing in from a specific IP would be evaluated without waiting for a real sign-in event.

Step 4: Enable the Policy

1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
2. Select the policy created in Step 2.
3. Change Enable policy from Report-only to On.
4. Click Save.

From this point forward, any DocuSign sign-in attempt from an IP address not included in your Named Location will be blocked. Entra ID will not issue a SAML assertion to DocuSign, and the user will be denied access at the identity provider level before reaching the DocuSign application.

Please Note: Users who are already signed in to DocuSign when the policy is enabled will not be immediately signed out. The block takes effect on the next sign-in or token refresh, typically within 1 hour.

Summary

The following table summarizes the full configuration process.