Company logoHelp Center
Visit www.threatlocker.com

Restrict Snowflake Access to a Specific IP Address Using Conditional Access

6 min. readlast update: 04.22.2026

Overview

This article walks through restricting Snowflake access to one or more approved IP 
addresses using Conditional Access in Microsoft Entra ID. When Entra ID is configured as 
the identity provider for Snowflake via SAML SSO, Conditional Access policies are 
evaluated at sign-in time — blocking access from any IP not on your approved list before a SAML assertion is issued to Snowflake.

The approach uses two components working together: 

  • Named Locations:  A saved list of trusted IP addresses or CIDR ranges defined in 
    Entra ID. 
  • Conditional Access policy:  A policy that blocks Snowflake sign-ins originating from 
    any IP not on the trusted list. 

Two Complementary Layers of IP Control

Snowflake is unique in this KB series in that it has its own powerful native IP restriction mechanism, Snowflake Network Policies, that operates independently of Entra ID. For full coverage, both layers should be considered.

Control Layer What it Restricts How to Configure
Entra ID Conditional Access  Blocks sign-in at the identity provider level before a SAML assertion is issued to Snowflake. Applies to web browser and SnowSQL logins via SSO. Covered in this article.
Snowflake Network Policy Blocks connections at the Snowflake account or user level, including JDBC/ODBC drivers, SnowSQL, with key-pair auth, and any connection that bypasses SSO. Configure under Snowflake using CREATE/ALTER NETWORK POLICY. Recommended as a complementary control.

Important: Entra ID Conditional Access only covers sign-ins that go through the SSO flow. Snowflake connectsion made via JDBC/ODBC drivers, SnowSQL, with key-pair authentication, or any method that does not use SAML SSO will bypass Entra ID entirely. For comprehensive IP restriction, especially in data engineering and pipeline environments, configuring a Snowflake Network Policy in addition to this Conditional Access policy is strongly recommended.

Prerequisites

Before proceeding, confirm the following are in place:

  • Microsoft Entra ID P1 or P2 license - required for Conditional Access.
  • Conditional Access Administrator role or higher in Microsoft Entra ID.
  • Snowflake enterprise app (SAML SSO) registered in your Entra ID tenant with a SAML2 Security Integration configured in Snowflake using the CREATE SECURITY INTEGRATION command.
  • Local Snowflake credentials disabled (recommended) — once SSO is validated, remove Snowflake passwords from user accounts using the ALTER USER command. If users retain passwords, they can bypass Entra ID and sign in directly.
  • Security Defaults Disabled in Entra ID - Security Defaults and Conditional Access cannot run simultaneously.
  • Known static IP address -  the public IP address or CIDR range of each approved location.
  • Break-glass admin account -  must be excluded from this policy to prevent administrative lockout.

Please Note:  To remove passwords from Snowflake user accounts after SSO is confirmed working, run the following command for each user as ACCOUNTADMIN:

ALTER USER <username> SET PASSWORD = NULL;

 

Important:  If your approved IP address is dynamic, this approach will not work 
reliably. You must use a static IP before implementing IP-based 
Conditional Access. 

Step 1: Create a Named Location for Your Trusted IP(s)

A Named Location defines the trusted IP addresses that Entra ID will reference as a condition in the policy.

  1. Sign in to the Microsoft Entra admin center at entra.microsoft.com
  2. Navigate to Protection > Conditional Access > Named locations.
  3. Select + IP ranges locations.
  4. Name the location. For example: Trusted - Corporate Office
  5. Check the Mark as trusted location checkbox.
  6. Click + and enter your approved IP address or CIDR range. 
Field/Setting Value/Notes
Single IP address 203.0.113.10/32
IP range (CIDR) 203.0.113.0/24
Multiple sites Create a separate Named Location for each site, then reference all of them in the policy.

7.  Click Create.

Step 2: Create the Conditional Access Policy

Create a policy that blocks Dropbox access from any location not on your trusted list.

  1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
  2. Select + New policy.
  3. Name the policy. For example, Block Snowflake - Outside Trusted IPs

Assignments: Users

  1. Under Assignments > Users, select All users.
  2. Under Exclude, add your break-glass admin account and any automation or service accounts that authenticate from dynamic IPs.

Please Note:  Snowflake service accounts used for data pipelines, ETL, tools, dbt, or BI connectors that authenticate via key-pair or password rather than SSO will not be affected by this policy. Those connections bypass Entra ID and should be controlled using a Snowflake Network Policy instead.

Assignments: Target Resources

  1. Under Target Resources, select Cloud apps > Select apps.
  2. Search for and select Snowflake.

Conditions: Locations

  1. Under Conditions > Locations, set Configure to Yes.
  2. Under Include, select Any location.
  3. Under Exclude, select Selected locations, then choose the Named Location you created in Step 1.

Tip: This configuration reads: Apply this policy to sign-ins from any location except the trusted named location. Any Snowflake sign-in originating outside the trusted IP will be blocked before a SAML assertion is issued to Snowflake.

Access Controls: Grant

  1. Under Access Controls > Grant, select Block access.
  2. Click Select to confirm.

Enable Policy

  1. Set Enable policy to Report-only.
  2. Click Create.

Important: Do not set this policy to On immediately. Always validate in Report-only mode first.

Step 3: Validate the Policy

Before enabling enforcement, confirm the policy is evaluating sign-ins correctly.

1. In the Entra admin center, navigate to Identity > Monitoring & health > Sign-in logs. 
2. Filter by the Snowflake application. 
3. Open a sign-in from a user on your trusted IP and confirm the Conditional Access 
tab shows Would succeed. 
4. If available, review a sign-in from an untrusted IP and confirm it shows Would fail 
with the location condition listed as the reason. 
5. Investigate any unexpected Would fail entries for users on trusted IPs — this 
typically indicates the office or VPN is presenting a different egress IP than what is 
entered in the Named Location.

Tip:  Use the What If tool under Protection > Conditional Access to simulate how a specific user signing in from a specific IP would be evaluated without waiting for a real sign-in event.

Step 4: Enable the Policy

  1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
  2. Select the policy created in Step 2.
  3. Change Enable policy from Report-only to On.
  4. Click Save.

From this point forward, any Snowflake sign-in attempt from an IP address not included in your Named Location will be blocked. Entra ID will not issue a SAML assertion to Snowflake, and the user will be denied access at the identity provider level.

Please Note: Users who are already signed in to Snowflake when the policy is enabled will not be immediately signed out. The block takes effect on the next sign-in or token refresh. For complete IP enforcement across all connection methods including JDBC, ODBC, and programmatic access, configure a Snowflake Network Policy in addition to this Conditional Access policy.

Summary

The following table summarizes the full configuration process.

Step Action
Prerequisites Confirm license, SAML2 Security Integration configured in Snowflake, local passwords removed via ALTER USER, Security Defaults disabled, static IP(s) identified 
Step 1 Create a Named Location with your trusted IP address(es) in Entra 
ID 
Step 2 Create a CA policy targeting Snowflake, excluding the Named Location, with Block access
Step 3 Validate in Report-only mode using sign-in logs and the What If 
tool
Step 4 Switch Enable policy to On - also configure a Snowflake Network Policy for full coverage
Was this article helpful?