Company logoHelp Center
Visit www.threatlocker.com

Restrict ThreatLocker Portal Access to a Specific IP Address

5 min. readlast update: 04.20.2026

Overview 


Restricting ThreatLocker portal access by IP address is handled differently from every 
other application in this KB series. The ThreatLocker portal has native IP restriction 
controls built directly into its Login Settings — no Microsoft Entra ID Conditional Access 
policy is required or recommended for this purpose. 


There are two important reasons the Entra ID Conditional Access approach does not apply 
here:

  • ThreatLocker does not recommend using O365 SSO for portal access. 
    ThreatLocker's own documentation explicitly advises against enabling SSO for 
    ThreatLocker administrator accounts. Without SSO enabled, Entra ID is not in the 
    authentication path and Conditional Access policies cannot apply.
  • ThreatLocker's native Login Settings provide direct, purpose-built IP 
    restriction. The portal supports both individual IPv4 addresses and CIDR ranges 
    natively, configured through the portal's own Login Settings panel — no external 
    tooling required.

Please Note: This article covers the native ThreatLocker portal IP restriction approach, which is the correct and recommended method. If your organization has enabled O365 SSO for ThreatLocker portal accounts against ThreatLocker's 
recommendation, see Part B of this article for considerations on layering 
Entra ID Conditional Access alongside the native controls. 

 

Part A: Restrict Portal Access Using ThreatLocker 
Login Settings 

ThreatLocker's Login Settings panel provides direct IP address restriction for all 
administrator accounts in your organization. This is the recommended approach for 
restricting portal access by IP.

Step 1: Access Login Settings 

  1. Sign in to the ThreatLocker portal at portal.threatlocker.com.
  2. Navigate to the Administrators page from the left sidebar.
  3. Select Additional Options, then choose Login Settings. Alternatively, Login Settings 
    can also be accessed from the Login Attempts pane within the Health Center.
  4. The Login Settings panel will open, showing organization-wide controls for 
    authentication and access.

Step 2: Configure IP Address Restrictions

  1. In the Login Settings panel, locate the IP Address Restrictions section. 
  2. Select Allow Selected to create an allowlist of approved IP addresses.
  3. Enter each approved IP address or CIDR range. Both individual IPv4 addresses and 
    CIDR notation are supported. Examples:
Field/Setting Value/Notes
Single  IP address 203.0.113.10
IP range (CIDR) 203.0.113.0/24
Multiple entries Add each IP or range as a separate entry in the list

4.  Click Save to apply the restriction.

Important: When Allow Selected is active, any IP address not on the list will be 
blocked from accessing the portal. Confirm your current IP address is 
included before saving, or you may lock yourself out of the portal. If you 
need to recover access, contact ThreatLocker support.

 

Please Note: IP Address Restrictions and Country Restrictions work together in the portal. If you choose Allow Selected for IP addresses within a country and 
also allow the entire country via Country Restrictions, the entire country 
will be allowed regardless of the IP allowlist. Configure both settings 
intentionally to avoid unintended bypass. 

Step 3: Validate the Restriction

  1. From a browser on an IP address included in your allowlist, confirm that portal 
    login continues to work normally.
  2. If possible, test from an IP outside the allowlist and confirm that access is denied.
  3. Review the Login Attempts section of the Health Center to monitor blocked and 
    allowed sign-in attempts.

Part B: Layering Entra ID Conditional Access (If 
SSO Is Enabled) 

If your organization has enabled O365 SSO for ThreatLocker portal accounts, Entra ID is in 
the authentication path and Conditional Access policies can provide an additional layer of 
IP enforcement at the identity provider level.

Important:  ThreatLocker does not recommend using O365 SSO for ThreatLocker 
administrator accounts. If SSO is enabled in your environment, ThreatLocker's native Login Settings IP restrictions should still be configured as the primary control. Entra ID Conditional Access provides a complementary layer, not a replacement.

If SSO is enabled and you wish to add an Entra ID Conditional Access IP restriction, follow the standard Named Location and Conditional Access policy steps: 

1. In the Microsoft Entra admin center, navigate to Protection > Conditional Access > Named locations and create a Named Location with your trusted IP addresses. 
2. Create a new Conditional Access policy targeting the ThreatLocker application in Entra ID. 
3. Configure Conditions > Locations with Include: Any location and Exclude: your 
Named Location. 
4. Set Access Controls > Grant to Block access. 
5. Set Enable policy to Report-only, validate in sign-in logs, then switch to On.

Please Note: If ThreatLocker is not pre-registered in the Entra ID gallery, it may need to be added as a custom SAML application. Refer to ThreatLocker's SSO 
configuration documentation for the specific SAML values required. Verify 
with ThreatLocker support that SSO is configured and active for your 
organization before creating a Conditional Access policy targeting it.  

Summary

The following table summarizes the available options for restricting ThreatLocker portal 
access by IP: 

Option Details
Native Login Settings (recommended)  Configure IP Address Restrictions directly in the ThreatLocker portal under Login Settings. Supports IPv4 and CIDR notation. No Entra ID required. This is the recommended approach for all
organizations. 
Entra ID Conditional Access (supplementary) Only applicable if O365 SSO is enabled for ThreatLocker portal accounts. Follow the standard Named Location and CA policy steps targeting the ThreatLocker app in Entra ID. Use alongside native controls, not instead of them.
Was this article helpful?