Restrict Microsoft 365 Access to a Specific IP Address Using Conditional Access

Access to Microsoft 365 is a key part of the day-to-day operations of many organizations. Unfortunately, the development of cybercriminal capabilities has rendered that role a potential vulnerability, with vital data held outside your immediate network.

Threat actors can turn these external access pathways against your organization, even while using additional security measures like multi-factor authentication to steal credentials. It’s important that those access conditions are clearly defined and enforced with a granular Zero Trust approach.

This guide explains how you can do just that with ThreatLocker, restricting Microsoft 365 access so users can sign in only from a specific public IP address by creating a named location and enforcing it with a Conditional Access policy.

Prerequisites

Before you begin, ensure you have the following:

• Microsoft Entra ID (Azure AD) Premium P1 or P2 license
• Global Administrator or Conditional Access Administrator permissions
• The public IP address you want to allow access from (example: 10.1.1.1)

Step 1: Create a named location

1. Sign in to the Microsoft Entra Admin Center:
   • https://entra.microsoft.com
2. Navigate to:
   • Protection → Conditional Access → Named locations
3. Select + IP ranges location
4. Configure the location:
   • Name: Allowed Office Location
   • IP ranges: 10.1.1.1
   • Check Mark as trusted location
     • This is optional but recommended
5. Select Create

The named location will now represent the trusted IP address.

Step 2: Create a Conditional Access Policy

1. In the Microsoft Entra Admin Center, go to:
   Protection → Conditional Access → Policies
2. Select + New policy
3. Enter a Policy Name:
   • Restrict Microsoft 365 Access to Approved IP

Step 3: Configure Users or Groups

1. Navigate to Assignments → Users
2. Select the users or groups that should be restricted.
   • Recommended options:
     • All users (recommended for full enforcement)
     • Specific user groups

Tip: Exclude at least one emergency admin account to avoid accidental lockout.

Step 4: Select target applications

1. Under Assignments → Target resources
2. Select All cloud apps

This ensures the policy applies to all Microsoft 365 services.

Step 5: Configure location conditions

1. Under Conditions → Locations
2. Set Configure to Yes
3. Under Include
   
   • Select Any location
4. Under Exclude
   
   • Select Selected locations
   • Choose the Named Location created earlier (Allowed Office Location)

This configuration means:

• Any login not from the allowed IP will trigger the policy.

Step 6: Configure access controls

1. Go to Access controls → Grant
2. Select:
   • Block access
3. Choose Select

This blocks sign-ins from any location that is not the trusted IP address.

Step 7: Enable the policy

1. Under Enable policy, choose:
   • On (or Report-only for testing)
2. Select Create