Company logoHelp Center
Visit www.threatlocker.com

Restrict Google Workspace Access to a Specific IP Address Using Conditional Access

6 min. readlast update: 04.20.2026

verview

This article walks through restricting Google Workspace access to one or more approved IP 
addresses using Conditional Access in Microsoft Entra ID. This is commonly used to ensure 
that Google Workspace applications, including Gmail, Drive, Docs, Meet, and Calendar, can only be accessed from a corporate network, reducing the risk of unauthorized access or data exfiltration from personal devices on untrusted networks.

The approach uses two components working together: 

  • Named Locations:  A saved list of trusted IP addresses or CIDR ranges defined in 
    Entra ID. 
  • Conditional Access policy:  A policy that blocks Google Workspace sign-ins originating from any IP not on the trusted list. 

Please Note:  In Entra ID, Google Workspace access is managed through the Google Cloud / G Suite Connector by Microsoft enterprise application — the same app used for Google Cloud Platform (GCP) console access. If your organization 
uses both services under the same Google Cloud Identity or Workspace account, this policy will apply to both. If you need different IP restrictions for GCP and Google Workspace separately, refer to the GCP KB article for considerations on scoping policies by user group. 

 

Important: Google Workspace super admins are exempt from third-party SSO by 
Google's design. They can always sign in directly with their Google credentials regardless of SSO configuration, meaning this Conditional Access policy will not apply to super admin accounts. Ensure super admin accounts are secured separately and their activity is monitored.

Prerequisites

Before proceeding, confirm the following are in place:

  • Microsoft Entra ID P1 or P2 license - required for Conditional Access.
  • Conditional Access Administrator role or higher in Microsoft Entra ID.
  • Google Cloud / G Suite Connector by Microsoft enterprise app registered in your 
    Entra ID tenant with SAML SSO configured and a SAML SSO profile assigned to your 
    users in the Google Admin Console.
  • SSO enforced in Google Admin Console — the SAML SSO profile must be assigned 
    to the relevant organizational units or groups. Users not covered by an SSO profile 
    can sign in directly with Google credentials, bypassing Entra ID.
  • Security Defaults Disabled in Entra ID - Security Defaults and Conditional Access cannot run simultaneously.
  • Known static IP address -  the public IP address or CIDR range of each approved location.
  • Break-glass admin account -  must be excluded from this policy to prevent administrative lockout.

Important: If your approved IP address is dynamic, this approach will not work 
reliably. You must use a static IP before implementing IP-based 
Conditional Access. 

Step 1: Create a Named Location for Your Trusted IP(s)

A Named Location defines the trusted IP addresses that Entra ID will reference as a condition in the policy.

  1. Sign in to the Microsoft Entra admin center at entra.microsoft.com
  2. Navigate to Protection > Conditional Access > Named locations.
  3. Select + IP ranges locations.
  4. Name the location. For example: Trusted - Corporate Office
  5. Check the Mark as trusted location checkbox.
  6. Click + and enter your approved IP address or CIDR range. 
Field/Setting Value/Notes
Single IP address 203.0.113.10/32
IP range (CIDR) 203.0.113.0/24
Multiple sites Create a separate Named Location for each site, then reference all of them in the policy.

7.  Click Create.

Step 2: Create the Conditional Access Policy

Create a policy that blocks Box access from any location not on your trusted list.

  1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
  2. Select + New policy.
  3. Name the policy. For example, Block Google Workspace - Outside Trusted IPs

Assignments: Users

  1. Under Assignments > Users, select All users.
  2. Under Exclude, add your break-glass admin account and any automation or service accounts that authenticate from dynamic IPs.

Assignments: Target Resources

  1. Under Target Resources, select Cloud apps > Select apps.
  2. Search for and select Google Cloud / G Suite Connector by Microsoft.

Please Note:  This is the correct app for Google Workspace even though the name references G Suite and Google Cloud. It is the single Entra ID enterprise application that handles SAML authentication for all Google services including Gmail, Drive, Calendar, Meet, and the Google Cloud Console.

Conditions: Locations

  1. Under Conditions > Locations, set Configure to Yes.
  2. Under Include, select Any location.
  3. Under Exclude, select Selected locations, then choose the Named Location you created in Step 1.

Tip: This configuration reads: apply this policy to sign-ins from any location, 
except the trusted named location. Any Google Workspace sign-in 
originating outside the trusted IP will be blocked before Entra ID issues a 
SAML assertion to Google. 

Access Controls: Grant

  1. Under Access Controls > Grant, select Block access.
  2. Click Select to confirm.

Enable Policy

  1. Set Enable policy to Report-only.
  2. Click Create.

Important: Do not set this policy to On immediately. A block policy applied to All users that is misconfigured will prevent all users from authenticating to 
Google Workspace. Always validate in Report-only mode first.

Step 3: Validate the Policy

Before enabling enforcement, confirm the policy is evaluating sign-ins correctly.

1. In the Entra admin center, navigate to Identity > Monitoring & health > Sign-in logs. 
2. Filter by the Google Cloud / G Suite Connector by Microsoft application. 
3. Open a sign-in from a user on your trusted IP and confirm the Conditional Access 
tab shows Would succeed. 
4. If available, review a sign-in from an untrusted IP and confirm it shows Would fail 
with the location condition listed as the reason. 
5. Investigate any unexpected Would fail entries for users on trusted IPs — this 
typically indicates the office or VPN is presenting a different egress IP than what is 
entered in the Named Location.

Tip:  Use the What If tool under Protection > Conditional Access to simulate how a specific user signing in from a specific IP would be evaluated without waiting for a real sign-in event.

Step 4: Enable the Policy

  1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
  2. Select the policy created in Step 2.
  3. Change Enable policy from Report-only to On.
  4. Click Save.

From this point forward, any Google Workspace sign-in attempt from an IP address not 
included in your Named Location will be blocked. Entra ID will not issue a SAML assertion 
to Google, and the user will be denied access to Google Workspace applications. 

Please Note: Users who are already signed in to Google Workspace when the policy is enabled will not be immediately signed out. The block takes effect on the 
next sign-in or token refresh, typically within 1 hour. Super admin accounts are exempt from third-party SSO by Google's design and will not be affected by this policy regardless of IP address. 

Summary

The following table summarizes the full configuration process.

Step Action
Prerequisites Confirm license, Google Cloud / G Suite Connector SAML SSO 
configured, SSO profile assigned in Google Admin Console, Security 
Defaults disabled, static IP(s) identified
Step 1 Create a Named Location with your trusted IP address(es) in Entra 
ID 
Step 2 Create a CA policy targeting Google Cloud / G Suite Connector by 
Microsoft, excluding the Named Location, with Block access
Step 3 Validate in Report-only mode using sign-in logs and the What If 
tool
Step 4 Switch Enable policy to On
Was this article helpful?