Company logoHelp Center
Visit www.threatlocker.com

Restrict Workday Access to a Specific IP Address Using Conditional Access

6 min. readlast update: 04.21.2026

Overview

This article walks through restricting Workday access to one or more approved IP 
addresses using Conditional Access in Microsoft Entra ID. When Entra ID is configured as 
the identity provider for Workday via SAML SSO, Conditional Access policies are evaluated 
at sign-in time — blocking access from any IP not on your approved list before a SAML 
assertion is issued to Workday. 

The approach uses two components working together: 

  • Named Locations:  A saved list of trusted IP addresses or CIDR ranges defined in 
    Entra ID. 
  • Conditional Access policy:  a policy that blocks Workday sign-ins originating 
    from any IP not on the trusted list. 

Please Note: Workday also includes its own native Authentication Policy and IP range controls, configurable through the Maintain IP Ranges and Manage 
Authentication Policies tasks in Workday. These can be used alongside Entra 
ID Conditional Access as complementary layers. This article covers the Entra 
ID approach, which enforces restrictions at the identity provider level 
before authentication reaches Workday.

 

Important: Workday SSO is configured inside Workday through Edit Tenant Setup – Security, not through an automated exchange. This requires a 
Workday administrator with the appropriate security role to import 
the Federation Metadata XML from Entra ID and activate the identity 
provider. Confirm SSO is correctly configured and tested before 
implementing access restrictions. An incorrect SSO configuration can 
lock all users out of Workday. 

Prerequisites

Before proceeding, confirm the following are in place:

  • Microsoft Entra ID P1 or P2 license - required for Conditional Access.
  • Conditional Access Administrator role or higher in Microsoft Entra ID.
  • Workday enterprise app (SAML SSO) registered in your Entra ID tenant with the 
    identity provider imported in Workday under Edit Tenant Setup – Security and set 
    to Active. 
  • Local Workday credentials disabled (recommended) — once SSO is validated, 
    disable username/password login for users in Workday's authentication policy. If 
    local logins remain enabled, users can bypass Entra ID and the Conditional Access 
    policy. 
  • Security Defaults Disabled in Entra ID - Security Defaults and Conditional Access cannot run simultaneously.
  • Known static IP address -  the public IP address or CIDR range of each approved location.
  • Break-glass admin account -  must be excluded from this policy to prevent administrative lockout.

Important:  If your approved IP address is dynamic, this approach will not work 
reliably. You must use a static IP before implementing IP-based 
Conditional Access. 

Step 1: Create a Named Location for Your Trusted IP(s)

A Named Location defines the trusted IP addresses that Entra ID will reference as a condition in the policy.

  1. Sign in to the Microsoft Entra admin center at entra.microsoft.com
  2. Navigate to Protection > Conditional Access > Named locations.
  3. Select + IP ranges locations.
  4. Name the location. For example: Trusted - Corporate Office
  5. Check the Mark as trusted location checkbox.
  6. Click + and enter your approved IP address or CIDR range. 
Field/Setting Value/Notes
Single IP address 203.0.113.10/32
IP range (CIDR) 203.0.113.0/24
Multiple sites Create a separate Named Location for each site, then reference all of them in the policy.

7.  Click Create.

Step 2: Create the Conditional Access Policy

Create a policy that blocks DocuSign access from any location not on your trusted list.

  1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
  2. Select + New policy.
  3. Name the policy. For example, Block Workday - Outside Trusted IPs

Assignments: Users

  1. Under Assignments > Users, select All users.
  2. Under Exclude, add your break-glass admin account and any automation or service accounts that authenticate from dynamic IPs.

Please Note: Workday integration system users used for HCM data provisioning, API access, or third-party integrations may authenticate through Entra ID if they 
are mapped to Entra ID accounts. Review your integration accounts before 
enabling this policy to confirm they will not be blocked. Integrations that use 
Workday-native credentials rather than SSO are not affected.

Assignments: Target Resources

  1. Under Target Resources, select Cloud apps > Select apps.
  2. Search for and select Workday.

Conditions: Locations

  1. Under Conditions > Locations, set Configure to Yes.
  2. Under Include, select Any location.
  3. Under Exclude, select Selected locations, then choose the Named Location you created in Step 1.

Tip: This configuration reads: apply this policy to sign-ins from any location, 
except the trusted named location. Any Workday sign-in originating outside 
the trusted IP will be blocked before Entra ID issues a SAML assertion to 
Workday.

Access Controls: Grant

  1. Under Access Controls > Grant, select Block access.
  2. Click Select to confirm.

Enable Policy

  1. Set Enable policy to Report-only.
  2. Click Create.

Important: Do not set this policy to On immediately. A block policy applied to All users that is misconfigured will lock all users out of Workday instantly. Always validate in Report-only mode first.

Step 3: Validate the Policy

Before enabling enforcement, confirm the policy is evaluating sign-ins correctly.

1. In the Entra admin center, navigate to Identity > Monitoring & health > Sign-in logs. 
2. Filter by the Workday application. 
3. Open a sign-in from a user on your trusted IP and confirm the Conditional Access 
tab shows Would succeed. 
4. If available, review a sign-in from an untrusted IP and confirm it shows Would fail 
with the location condition listed as the reason. 
5. Investigate any unexpected Would fail entries for users on trusted IPs — this 
typically indicates the office or VPN is presenting a different egress IP than what is 
entered in the Named Location.

Tip:  Use the What If tool under Protection > Conditional Access to simulate how a specific user signing in from a specific IP would be evaluated without waiting for a real sign-in event.

Step 4: Enable the Policy

  1. In the Entra admin center, navigate to Protection > Conditional Access > Policies.
  2. Select the policy created in Step 2.
  3. Change Enable policy from Report-only to On.
  4. Click Save.

From this point forward, any Workday sign-in attempt from an IP address not included in 
your Named Location will be blocked. Entra ID will not issue a SAML assertion to Workday, 
and the user will be denied access at the identity provider level.

Please Note: Users who are already signed in to Workday when the policy is enabled will not be immediately signed out. The block takes effect on the next sign-in or token refresh, typically within 1 hour. Confirm that local Workday username and password login is disabled in your Workday authentication policy to prevent users from bypassing Entra ID using Workday credentials directly. 

Summary

The following table summarizes the full configuration process.

Step Action
Prerequisites Confirm license, Workday SAML SSO configured via Edit Tenant 
Setup – Security, local logins disabled in Workday authentication 
policy, Security Defaults disabled, static IP(s) identified 
Step 1 Create a Named Location with your trusted IP address(es) in Entra 
ID 
Step 2 Create a CA policy targeting Workday, excluding the Named Location, with Block access
Step 3 Validate in Report-only mode using sign-in logs and the What If 
tool
Step 4 Switch Enable policy to On
Was this article helpful?