Restrict Hudu Access to a Specific IP Address Using Conditional Access

Overview

This article walks through restricting Hudu access to one or more approved IP addresses. 
Hudu supports two complementary layers of IP-based access control, and for complete 
coverage, both should be configured. 

Please Note: Hudu's SSO has an important admin exception: super-admin and admin users are always exempt from SSO enforcement by design. They can 
continue to sign in via the Hudu admin login page using a password. This 
means Entra ID Conditional Access alone does not fully cover admin 
accounts — Hudu's native IP Access Control is needed to restrict admin 
access by IP as well. For comprehensive IP restriction, configure both layers.

Prerequisites

Before proceeding, confirm the following are in place:

• Microsoft Entra ID P1 or P2 license - required for Conditional Access.
• Conditional Access Administrator role or higher in Microsoft Entra ID.
•  Hudu SAML/SSO configured with Entra ID — the non-gallery SAML enterprise 
  app must exist in Entra ID and SAML/SSO must be enabled in Hudu under Admin > 
  Security > SAML/SSO Configure. 
• Password access disabled for non-admins (recommended) — in Hudu under 
  Admin > Security > SAML/SSO, enable Disable Password Access for non-admins. 
  This forces all non-admin users through SSO, ensuring CA policies apply. Without 
  this, non-admin users can still use password login and bypass Entra ID. 
• Security Defaults Disabled in Entra ID - Security Defaults and Conditional Access cannot run simultaneously.
• Known static IP address -  the public IP address or CIDR range of each approved location.
• Break-glass admin account -  must be excluded from this policy to prevent administrative lockout.

Important: If your approved IP address is dynamic, this approach will not work 
reliably. You must use a static IP before implementing IP-based 
Conditional Access. 

Part A: Restrict Hudu SSO Access by IP Using Entra 
ID Conditional Access 

This approach restricts sign-ins for users who authenticate through Entra ID SSO. It does 
not cover admin accounts, which bypass SSO by design.

Step 1: Create a Named Location

1. Sign in to the Microsoft Entra admin center at entra.microsoft.com
2. Navigate to Protection > Conditional Access > Named locations.
3. Select + IP ranges locations.
4. Name the location. For example: Trusted - Corporate Office
5. Check the Mark as trusted location checkbox.
6. Click + and enter your approved IP address or CIDR range. 

7.  Click Create.

Step 2: Create the Conditional Access Policy

1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
2. Select + New policy.
3. Name the policy. For example, Block Hudu- Outside Trusted IPs
4. Under Assignments > Users, select All users. Under Exclude, add your break-glass admin account.
5. Under  Target Resources, select Cloud apps > Select apps, then search for and select your Hudu SAML enterprise application**.
6.  Under Conditions > Locations, set Configure to Yes. Set Include to Any Location and Exclude to your Named Location.
7. Under Access Controls > Grant, select Block access
8.  Set Enable policy to Report-only.
9. Click Create.

** Hudu is not in the Microsoft Entra gallery and is configured as a non-gallery SAML application. Look for the app name you used when creating the 
enterprise application in Entra ID during SSO setup — typically named after 
your Hudu instance URL or a custom name you chose.

Step 3: Validate the Policy

Before enabling enforcement, confirm the policy is evaluating sign-ins correctly.

1. In the Entra admin center, navigate to Identity > Monitoring & health > Sign-in logs. 
2. Filter by the Hudu application. 
3. Open a sign-in from a user on your trusted IP and confirm the Conditional Access 
tab shows Would succeed. 
4. If available, review a sign-in from an untrusted IP and confirm it shows Would fail 
with the location condition listed as the reason. 
5. Investigate any unexpected Would fail entries for users on trusted IPs — this 
typically indicates the office or VPN is presenting a different egress IP than what is 
entered in the Named Location.

Tip:  Use the What If tool under Protection > Conditional Access to simulate how a specific user signing in from a specific IP would be evaluated without waiting for a real sign-in event.

Step 4: Enable the Policy

1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
2. Select the policy created in Step 2.
3. Change Enable policy from Report-only to On.
4. Click Save.

Part B: Restrict Hudu Access by IP Using Hudu 
Native IP Access Control 

 Hudu's built-in IP Access Control applies to the entire Hudu instance — all users including 
admins, API access, and any users not going through SSO. This is the recommended companion to Part A and the only way to enforce IP restrictions on admin accounts. 

1. Sign in to your Hudu instance as a super-admin. 
2. Navigate to Admin > Security > IP Access Control. 
3. Add each approved IP address or CIDR range to the allowlist. 
4. Save the configuration.

Important: Once IP Access Control is enabled in Hudu, any IP address not on the 
allowlist will be blocked from accessing the instance entirely — including admin accounts, API scripts, and integrations. Confirm all required IPs are added before saving, including any addresses used by automation, the Hudu API, or external integrations. Adding an IP allowlist that omits your current IP will lock you out immediately. 

Please Note: Hudu's IP Access Control applies to the entire instance. There is no per-user or per-group granularity for this feature. If some users need access from IPs outside your corporate range (such as remote workers or clients accessing 
the portal), plan accordingly before enabling this control. 

Summary

The following table summarizes the available options for restricting Hudu access by IP: