Restrict Okta Access to a Specific IP Address Using Conditional Access

Overview

Restricting Okta access by IP address requires a different approach than the other applications in this KB series. Okta is an identity provider (IdP) — it authenticates users 
and issues access to other applications. It is not itself a SAML service provider that Entra ID 
controls. This means that for most Okta scenarios, Microsoft Entra ID Conditional Access 
does not apply, and IP restrictions must be configured natively within Okta.

The correct approach depends on what you are trying to restrict. Review the table below 
before proceeding.

Please Note:  This article covers both scenarios. Part A covers the most common case - restricting access to Okta and Okta-managed apps using Okta's native controls. Part B covers the less common case where Entra ID is the primary IdP and Okta is used as a secondary authenticator, which is the only scenairo where an Entra ID Conditional Access policy applies.

Part A: Restrict Okta Access by IP Using Okta Native Controls

When Okta is your primary identity provider, IP-based access restrictions are configured inside the Okta Admin Console using two features: Network Zones and Policies.

Step 1: Create a Network Zone in Okta

A Network Zone in Okta is the equivalent of a Named Location in Entra ID - a saved definition of trusted IP addresses that policies can reference.

1. Sign in to the Okta Admin Console at your-org.okta.com/admin.
2. Navigate to Security >  Networks.
3. Select Add Zone >  IP Zone.
4. Name the zone. For example: Corporate Office
5. Under Gateway IPs, enter your approved IP address or CIDR range. Examples:

6.  Click Save.

Step 2: Restrict Okta Admin Console Access by IP

To restrict which IPs can access the Okta Admin Console, configure the Admin Console App policy.

1. In the Okta Admin Console, navigate to Security > Authentication Policies.
2. Select the Okta Admin Console policy.
3. Select Add Rule (or edit the default rule).
4. Under Conditions, set Device state to Any and set Network to Not in Zone.
5. Select your Network Zone from Step 1.
6. Under Actions, set Access to Denied.
7. Save the rule and ensure it is ordered above the default allow rule.

Tip: Okta evaluates policy rules in order from top to bottom. Place the deny rule above the default rule so it is evaluated first. The default rule at the bottom acts as a falback.

Step 3: Restrict Okta End-User Dashboard and App Access by IP

To restrict sign-in to the Okta end-user dashboard and any apps managed through Okta SSO, configure the Global Session Policy and individual App Sign-On Policies.

1. In the Okta Admin Console, navigate to Security > Global Session Policy.
2. Add a rule that denies access when the user is Not in Zone, selecting your network zone.
3. For individual app restrictions, navigate to Applications > select the app > Sign On > Add Rule.
4. Set Location to Not in Zone, select your network zone, and set Access to Denied.

Please Note: Global Session Policy control whether a user can establish an Okta session at all. App Sign-On Policies control acess to indvidual apps within an existing session, For full IP enforcement, configure both.

Part B: Restrict Okta Access by IP Using Entra ID Conditional Access

This scenario applies only when Microsoft Entra ID is configured as the primary identity provider, and Okta is used as an External Authentication Method (EAM) - meaning Entra ID handles authentication and calls out to Okta for MFA or additional verification. In this configuration, Entra ID issues the authentication token, and CA policies apply.

Please Note:  If you are unsure which scenario applies to your environment, check whether users sign in first to Okta or first to Microsoft. If users sign in to Microsoft first and Okta is use for MFA only, Part B applies. If users sign in to Okta first for all apps, Part A applies.

Prerequisites for Part B

Before proceeding, confirm the following are in place:

• Microsoft Entra ID P1 or P2 license - required for Conditional Access.
• Conditional Access Administrator role or higher in Microsoft Entra ID.
• Okta configured as an External Authentication Method in Entra ID - not as the primary identity provider.
• Security Defaults Disabled in Entra ID - Security Defaults and Conditional Access cannot run simultaneously.
• Known static IP address -  the public IP address or CIDR range of each approved location.
• Break-glass admin account -  must be excluded from this policy to prevent administrative lockout.

Step 1: Create a Named Location in Entra ID

A Named Location defines the trusted IP addresses that Entra ID will reference as a condition in the policy.

1. Sign in to the Microsoft Entra admin center at entra.microsoft.com
2. Navigate to Protection > Conditional Access > Named locations.
3. Select + IP ranges locations.
4. Name the location. For example: Trusted - Corporate Office
5. Check the Mark as trusted location checkbox.
6. Click + and enter your approved IP address or CIDR range. 

7.  Click Create.

Step 2: Create the Conditional Access Policy

1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
2. Select + New policy.
3. Name the policy. For example, Block Okta EAM - Outside Trusted IPs
4. Under Assignments > Users, select All users.
5. Under Exclude, add your break-glass admin account.
6. Under Target Resources, select Cloud apps > Select apps.
7. Search for and select the app that triggers Okta EAM authentication in your environment.
8. Under Conditions > Locations, set Configure to Yes.
9. Under Include, select Any location.
10. Under Exclude, select Selected locations, then choose your Named Location.
11. Under Access Controls > Grant, select Block access.
12. Set Enable policy to Report-only.
13. Click Create.

Important: Validate thoroughly in Report-only mode before enabling. Use sign-in logs and the What If tool to confirm the policy evaluates correctly for both trusted and untrusted IPs before switching to On.

Summary

The following table summarizes the full configuration process.