Company logoHelp Center
Visit www.threatlocker.com

Restrict GitHub Access to a Specific IP Address Using Conditional Access

6 min. readlast update: 04.20.2026

Overview

This article walks through restricting GitHub Enterprise access to one or more approved IP addresses using Conditional Access in Microsoft Entra ID.  This is commonly used to ensure 
GitHub can only be accessed from a corporate network, reducing the risk of unauthorized 
repository access or code exfiltration from untrusted networks.

The approach uses two components working together: 

  • Named Locations:  A saved list of trusted IP addresses or CIDR ranges defined in 
    Entra ID. 
  • Conditional Access policy:  A policy that blocks GitHub Enterprise sign-ins originating from 
    any IP not on the trusted list. 

SAML vs OIDC — Choose the Right Approach First

GitHub Enterprise supports two authentication methods with Entra ID, and the correct IP 
restriction approach depends on which one your organization uses. Confirm your setup 
before proceeding.

Authenticate Method Use Case IP Restriction Approach
SAML SSO GitHub Enterprise Cloud 
(Organization or Enterprise 
Account) using personal GitHub accounts 		 Supported via Entra ID 
Conditional Access with Named Locations, as described in this article. 
OIDC SSO GitHub Enterprise Managed 
Users (EMU) only		 GitHub natively reads Entra ID Conditional Access IP conditions and enforces them automatically. A separate CA policy is not 
required — enabling OIDC and configuring IP-based CA in Entra ID is sufficient. 

This article covers the SAML SSO path. If your organization uses Enterprise Managed Users 
(EMU) with OIDC, GitHub will automatically enforce Entra ID Conditional Access IP conditions natively — follow the OIDC configuration in GitHub's documentation and configure your IP-based Named Locations in Entra ID, and no additional CA policy is 
required.

Prerequisites

Before proceeding, confirm the following are in place:

  • Microsoft Entra ID P1 or P2 license - required for Conditional Access.
  • Conditional Access Administrator role or higher in Microsoft Entra ID.
  • GitHub Enterprise Cloud enterprise app (SAML SSO) registered in your Entra ID 
    tenant with SSO enforced at the organization or enterprise account level. 
  • Security Defaults Disabled in Entra ID - Security Defaults and Conditional Access cannot run simultaneously.
  • Known static IP address -  the public IP address or CIDR range of each approved location.
  • Break-glass admin account -  must be excluded from this policy to prevent administrative lockout.

Important:  If your approved IP address is dynamic, this approach will not work reliably. You must use a static IP before implementing IP-based Conditional Access.

Step 1: Create a Named Location for Your Trusted IP(s)

A Named Location defines the trusted IP addresses that Entra ID will reference as a condition in the policy.

  1. Sign in to the Microsoft Entra admin center at entra.microsoft.com
  2. Navigate to Protection > Conditional Access > Named locations.
  3. Select + IP ranges locations.
  4. Name the location. For example: Trusted - Corporate Office
  5. Check the Mark as trusted location checkbox.
  6. Click + and enter your approved IP address or CIDR range. 
Field/Setting Value/Notes
Single IP address 203.0.113.10/32
IP range (CIDR) 203.0.113.0/24
Multiple sites Create a separate Named Location for each site, then reference all of them in the policy.

7.  Click Create.

Step 2: Create the Conditional Access Policy

Create a policy that blocks GitHub Enterprise access from any location not on your trusted list.

  1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
  2. Select + New policy.
  3. Name the policy. For example, Block GitHub Enterprise - Outside Trusted IPs

Assignments: Users

  1. Under Assignments > Users, select All users.
  2. Under Exclude, add your break-glass admin account and any automation or service accounts that authenticate from dynamic IPs.

Assignments: Target Resources

  1. Under Target Resources, select Cloud apps > Select apps.
  2. Search for and select GitHub Enterprise Cloud - Organization or GitHub Enterprise Cloud - Enterprise Account, depending on how your SSO is configured.

Please Note: If your SSO is configured at the organization level, select GitHub Enterprise Cloud - Organization. If SSO is configured at the enterprise account level to cover all organizations, select GitHub Enterprise Cloud - Enterprise Account. Target the app that matches your existing SSO enterprise application.

Conditions: Locations

  1. Under Conditions > Locations, set Configure to Yes.
  2. Under Include, select Any location.
  3. Under Exclude, select Selected locations, then choose the Named Location you created in Step 1.

Tip: This configuration reads: Apply this policy to sign-ins from any location except the trusted named location. Any GitHub Enterprise sign-in originating outside the trusted IP will be blocked before a SAML assertion is issued to GitHub.

Access Controls: Grant

  1. Under Access Controls > Grant, select Block access.
  2. Click Select to confirm.

Enable Policy

  1. Set Enable policy to Report-only.
  2. Click Create.

Important: Do not set this policy to On immediately. A block policy applied to All users that is misconfigured will lock all users out of GitHub Enterprise instantly. Always validate in Report-only mode first.

Step 3: Validate the Policy

Before enabling enforcement, confirm the policy is evaluating sign-ins correctly.

1. In the Entra admin center, navigate to Identity > Monitoring & health > Sign-in logs. 
2. Filter by the GitHub Enterprise Cloud application.
3. Open a sign-in from a user on your trusted IP and confirm the Conditional Access 
tab shows Would succeed. 
4. If available, review a sign-in from an untrusted IP and confirm it shows Would fail 
with the location condition listed as the reason. 
5. Investigate any unexpected Would fail entries — this typically indicates the network 
is presenting a different egress IP than what is entered in the Named Location.

Tip:  Use the What If tool under Protection > Conditional Access to simulate how a specific user signing in from a specific IP would be evaluated without waiting for a real sign-in event.

Step 4: Enable the Policy

  1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
  2. Select the policy created in Step 2.
  3. Change Enable policy from Report-only to On.
  4. Click Save.

From this point forward, any GitHub Enterprise IAM Identity Center sign-in attempt from an IP address not included in your Named Location will be blocked. Entra ID will not issue a SAML assertion to GitHub, and the user will not be able to access organization resources. 

Please Note: This policy blocks SAML-based authentication from untrusted IPs. For complete coverage, also configure GitHub's native IP allow list at the 
organization or enterprise level to block personal access tokens and other non-SSO access methods from untrusted IPs. This setting is available in GitHub under Organization Settings > Security > IP allow list.

Summary

The following table summarizes the full configuration process.

Step Action
Prerequisites Confirm license, GitHub Enterprise SAML SSO configured, 
Security Defaults disabled, static IP(s) identified 
Step 1 Create a Named Location with your trusted IP address(es) in Entra 
ID 
Step 2 Create a CA policy targeting GitHub Enterprise Cloud, excluding the Named Location, with Block access
Step 3 Validate in Report-only mode using sign-in logs and the What If 
tool
Step 4 Switch Enable policy to On and configure GitHub native IP allowlist for full coverage.
Was this article helpful?