Restrict QuickBooks Online Access to a Specific IP Address Using Conditional Access

Overview

QuickBooks Online (QBO) does not support SAML 2.0 or OIDC-based single sign-on with 
external identity providers such as Microsoft Entra ID. This is a platform limitation set by 
Intuit, the developer of QuickBooks Online, and it means that the Conditional Access approach used for every other application in the KB series cannot be directly applied to QuickBooks Online.

Users must authenticate to QuickBooks Online using one of the following methods, none of which are controlled by Entra ID:

• Intuit account credentials (email and password)
• Sign in with Google (via Google OAuth)

Important: Because QuickBooks Online does not route authentication through 
Entra ID, Microsoft Entra ID Conditional Access policies cannot enforce IP restrictions, MFA requirements, or device compliance for QuickBooks Online sign-ins. This is a QuickBooks Online platform limitation, not a configuration gap. No workaround exists that achieves true SAML SSO with Entra ID as the identity provider for QuickBooks Online at this time.

This article explains the available options for managing access controls and IP restrictions within QuickBooks Online's current capabilities.

What Is Available for Access Control

While full Entra ID Conditional Access integration is not possible, the following options are available for organizations that need to control access to QuickBooks Online.

Option 1: QuickBooks Online Advanced - Invite-Based User Management

QuickBooks Online Advanced (the highest-tier plan) offers enhanced user management 
controls, including the ability to restrict who can be invited to the account and manage user roles. While this does not provide IP=based restrictions, it does allow tighter control over which accounts have access.

• Limit user access by role (e.g., read-only vs. full access)
• Remove users promptly through Admin > Manage Users to prevent access from former employees.
• Enable two-step verification for all users under Security settings.

Option 2: Network-Level IP Restriction (Firewall / DNS Filtering)

For organizations that need to restrict QuickBooks Online to specific networks, IP-based 
access controls can be enforced at the network layer rather than the identity layer. This approach blocks access to QuickBooks Only URLs from devices outside approved networks using a firewall, proxy, or DNS filtering solution.

The primary QuickBooks Online domain to restrict is: app.qbo.intuit.com

Please Note:  Network-level restrictions apply to all traffic from the network, not to specific users. A user working from a location outside the restricted network (such as working from home) would not be subject to the restriction. This approach is most effective for organizations that require users to access QuickBooks Online only from managed office networks.

Option 3: Password Vaulting via Okta or Similar IdP (SWA)

Some identity providers, including Okta, support Secure Web Authentication (SWA) for applications that do not support SAML.  SWA stores and injects the user's QuickBooks Online username and password, providing a single sign-on experience through the IdP portal without requiring SAML support from the application.

• Users access QuickBooks Online through the Okta or similar IdP dashboard.
• The IdP handles credential injection- users do not need to remember or manage their QBO password directly.
• IP restrictions and MFA can be enforced at the IdP level, covering the login to the IdP itself.

Please Note: SWA is not true SAML SSO. It is password vaulting — the user's Intuit 
credentials are still used to authenticate to QBO, they are simply managed 
and injected by the IdP. This means Entra ID Conditional Access still cannot 
enforce policies directly against the QBO authentication event. SWA through a third-party IdP like Okta would need to be evaluated separately.

Options Summary

The following table summarizes the available access control options for QuickBooks Online.