Restrict Syncro Access to a Specific IP Address Using Conditional Access

Overview

This article walks through restricting Syncro access to one or more approved IP addresses using Conditional Access in Microsoft Entra ID. Syncro supports SSO using OpenID Connect (OIDC) with Entra ID as the identity provider. When SSO is enabled and enforced, Conditional Access policies in Entra ID are evaluated at sign-in time — blocking access from any IP not on your approved list before Entra ID issues an identity token to Syncro.

The approach uses two components working together: 

• Named Locations:  A saved list of trusted IP addresses or CIDR ranges defined in 
  Entra ID. 
• Conditional Access policy:  A policy that blocks Syncro sign-ins originating from 
  any IP not on the trusted list. 

Please Note:  Syncro uses OIDC for SSO rather than SAML. From a Conditional Access perspective this makes no practical difference — Entra ID evaluates CA policies for OIDC-based authentication the same way it does for SAML. The Syncro app registered in your Entra ID tenant will appear as the target resource in the CA policy.

Important: If your organization also uses Syncro's Microsoft CSP integration with a dedicated Syncro Service Account, that account requires its own separate Conditional Access policy with specific requirements. This is covered in Part B of this article.

Prerequisites

Before proceeding, confirm the following are in place:

• Microsoft Entra ID P1 or P2 license - required for Conditional Access.
• Conditional Access Administrator role or higher in Microsoft Entra ID.
• Syncro SSO configured with Entra ID — the OIDC app registration must exist in Entra ID and SSO must be enabled in Syncro under Admin > Syncro Administration > Login Settings.
• SSO enabled (account-wide) in Syncro — Syncro's SSO is an all-or-nothing account-wide setting. Once enabled, all active Syncro user accounts are authenticated through Entra ID. If SSO is not enabled, Entra ID is not in the authentication path and CA policies will not apply.
• Security Defaults Disabled in Entra ID - Security Defaults and Conditional Access cannot run simultaneously.
• Known static IP address -  the public IP address or CIDR range of each approved location.
• Break-glass admin account -  must be excluded from this policy to prevent administrative lockout.

Important:  If your approved IP address is dynamic, this approach will not work 
reliably. You must use a static IP before implementing IP-based 
Conditional Access. 

Part A: Restrict Syncro Technician Access by IP

Step 1: Create a Named Location for Your Trusted IP(s)

A Named Location defines the trusted IP addresses that Entra ID will reference as a condition in the policy.

1. Sign in to the Microsoft Entra admin center at entra.microsoft.com
2. Navigate to Protection > Conditional Access > Named locations.
3. Select + IP ranges locations.
4. Name the location. For example: Trusted - Corporate Office
5. Check the Mark as trusted location checkbox.
6. Click + and enter your approved IP address or CIDR range. 

7.  Click Create.

Step 2: Create the Conditional Access Policy

Create a policy that blocks Dropbox access from any location not on your trusted list.

1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
2. Select + New policy.
3. Name the policy. For example, Block Syncro - Outside Trusted IPs

Assignments: Users

1. Under Assignments > Users, select All users.
2. Under Exclude, add your break-glass admin account and any automation or service accounts that authenticate from dynamic IPs.

Assignments: Target Resources

1. Under Target Resources, select Cloud apps > Select apps.
2. Search for and select Syncro OIDC application.

Conditions: Locations

1. Under Conditions > Locations, set Configure to Yes.
2. Under Include, select Any location.
3. Under Exclude, select Selected locations, then choose the Named Location you created in Step 1.

Access Controls: Grant

1. Under Access Controls > Grant, select Block access.
2. Click Select to confirm.

Enable Policy

1. Set Enable policy to Report-only.
2. Click Create.

Important: If you cannot locate the Syncro app by name in the cloud apps selector, look for the name used during OIDC app registration in your Entra ID tenant. This is typically the name you entered when creating the App Registration for Syncro. You can also check Entra ID > App Registrations to confirm the app name.

Step 3: Validate the Policy

Before enabling enforcement, confirm the policy is evaluating sign-ins correctly.

1. In the Entra admin center, navigate to Identity > Monitoring & health > Sign-in logs. 
2. Filter by the Syncro application. 
3. Open a sign-in from a user on your trusted IP and confirm the Conditional Access 
tab shows Would succeed. 
4. If available, review a sign-in from an untrusted IP and confirm it shows Would fail 
with the location condition listed as the reason. 
5. Investigate any unexpected Would fail entries for users on trusted IPs — this 
typically indicates the office or VPN is presenting a different egress IP than what is 
entered in the Named Location.

Tip:  Use the What If tool under Protection > Conditional Access to simulate how a specific user signing in from a specific IP would be evaluated without waiting for a real sign-in event.

Step 4: Enable the Policy

1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
2. Select the policy created in Step 2.
3. Change Enable policy from Report-only to On.
4. Click Save.

Please Note: Syncro's SSO is account-wide — there is no per-user SSO bypass option. Once SSO is enabled, all active Syncro user accounts must authenticate through Entra ID. Users who are already signed in when the policy is enabled will be affected on their next session or token refresh. Confirm SSO is enabled in Syncro under Admin > Login Settings before enabling enforcement.

Part B: Conditional Access Policy for the Syncro Service Account

If your organization uses Syncro's Microsoft CSP integration, a dedicated Syncro Service Account is required in your Entra ID tenant for Syncro to access customer Microsoft 365 tenants via GDAP. This account requires its own Conditional Access policy.

Important: Syncro's own documentation speficies that the service account's CA policy must enforce MFA on every sign-in. The Syncro Service Account authenticates from Syncro's cloud infrastructure, not from your office IP. Do not add your Named Location as a trusted exclusion to this policy. This account must always complete MFA regardless of source IP.

1. In the Entra admin center, navigate to Protection > Conditional Access > Policies and select + New policy.
2. Name the policy. For example: Syncro Service Account MFA Policy
3. Under Assignents > Users, include only the Syncro Service Account user.
4. Under Target Resources, select All cloud apps.
5. Under Access Controls > Grant, select Grant access and require Azure Multi-Factor Authentication.
6. Under Access Controls > Session, check Sign-in frequency and set it to Every time.
7. Do not add any location conditions or Named Location exclusions.
8. Toggle Enable policy to On and click Create.

Summary

The following table summarizes the full configuration process.