Add Proxy IP to Azure Conditional Access Policy

Article summary

Did you find this summary helpful?

Thank you for your feedback!

This guide explains how to add your proxy or outbound firewall IP address to an Azure Conditional Access policy in Microsoft Entra ID (formerly Azure AD).

This helps you:

Restrict access to corporate network locations
Bypass MFA for trusted IPs (such as proxy or VPN egress points)
Enforce stricter policies for external or untrusted sources

Prerequisites

Global Administrator or Security Administrator role in Azure AD
Knowledge of your proxy/firewall's external (egress) IP address
Azure AD Premium P1 or P2 license (Conditional Access requires this)

Navigate to https://portal.azure.com
Launch the Microsoft Entra ID blade (formerly Azure Active Directory)

Step 2 - Navigate to Conditional Access

From the side menu:
- Click Protection → Conditional Access.
- Click an existing policy or click + New policy to create one.

Step 3 - Configure Conditions Based on Locations

Under your policy:
- Click Conditions → Locations.
- Set the toggle to Yes.

Step 4 - Define Named Locations

Click Select locations → then + Named location.
Provide a meaningful name, e.g., Trusted Proxy IP.
Under IP ranges, add your proxy or firewall’s public IP(s).
Check the box if this IP should be marked as trusted (for MFA or device compliance rules).

Step 5 - Apply the Named Location

Once the named location is saved:
- Navigate back to the Select locations screen.
Select either:
- Include → to apply the policy only when users are coming from that proxy IP
- Exclude → to bypass the policy for that IP (e.g., exclude from MFA)

Step 6 - Complete the Policy

Under Assignments, choose users/groups to apply the policy to.
Under Access controls, choose:
- Grant → Block or allow access
- Session → Optional controls like sign-in frequency
Set Enable Policy to On.
Click Create or Save.

Example Use Cases

Scenario	Action in Conditional Access Policy
Bypass MFA for users behind proxy	Exclude proxy IP under "Locations" condition
Require MFA unless on proxy	Include All IPs, then Exclude proxy IP
Allow access only from proxy	Include only the proxy IP as named location

Testing and Logs

Use Sign-in logs in Microsoft Entra ID to verify:
- The IP seen by Azure matches your proxy/firewall's egress IP
- The Conditional Access policy result (Success, Failure, Not Applied, etc.)

Tips

If you're behind multiple proxies or regional egress IPs, add them all to the named location.
Azure reads the client public IP, so NAT or forward proxies must expose the correct external address.
Be cautious when blocking access based on IP — always test with a break-glass account excluded from the policy.

Was this article helpful?

What's Next

Configure Proxy and Exclusions on macOS

Table of contents

Prerequisites
Step 1 - Sign in to the Azure Portal
Step 2 - Navigate to Conditional Access
Step 3 - Configure Conditions Based on Locations
Step 4 - Define Named Locations
Step 5 - Apply the Named Location
Step 6 - Complete the Policy
Example Use Cases
Testing and Logs
Tips