Add Proxy IP to Azure Conditional Access Policy
    • PDF

    Add Proxy IP to Azure Conditional Access Policy

    • PDF

    Article summary

    This guide explains how to add your proxy or outbound firewall IP address to an Azure Conditional Access policy in Microsoft Entra ID (formerly Azure AD).

    This helps you:

    • Restrict access to corporate network locations
    • Bypass MFA for trusted IPs (such as proxy or VPN egress points)
    • Enforce stricter policies for external or untrusted sources

    Prerequisites

    • Global Administrator or Security Administrator role in Azure AD
    • Knowledge of your proxy/firewall's external (egress) IP address
    • Azure AD Premium P1 or P2 license (Conditional Access requires this)

    Step 1 - Sign in to the Azure Portal


    Step 2 - Navigate to Conditional Access

    • From the side menu:
      • Click ProtectionConditional Access.
      • Click an existing policy or click + New policy to create one.

    Step 3 - Configure Conditions Based on Locations

    • Under your policy:
      • Click ConditionsLocations.
      • Set the toggle to Yes.

    Step 4 - Define Named Locations

    • Click Select locations → then + Named location.
    • Provide a meaningful name, e.g., Trusted Proxy IP.
    • Under IP ranges, add your proxy or firewall’s public IP(s).
    • Check the box if this IP should be marked as trusted (for MFA or device compliance rules).

    Step 5 - Apply the Named Location

    • Once the named location is saved:
      • Navigate back to the Select locations screen.
    • Select either:
      • Include → to apply the policy only when users are coming from that proxy IP
      • Exclude → to bypass the policy for that IP (e.g., exclude from MFA)

    Step 6 - Complete the Policy

    • Under Assignments, choose users/groups to apply the policy to.

    • Under Access controls, choose:

      • Grant → Block or allow access
      • Session → Optional controls like sign-in frequency
    • Set Enable Policy to On.

    • Click Create or Save.


    Example Use Cases

    ScenarioAction in Conditional Access Policy
    Bypass MFA for users behind proxyExclude proxy IP under "Locations" condition
    Require MFA unless on proxyInclude All IPs, then Exclude proxy IP
    Allow access only from proxyInclude only the proxy IP as named location

    Testing and Logs

    • Use Sign-in logs in Microsoft Entra ID to verify:
      • The IP seen by Azure matches your proxy/firewall's egress IP
      • The Conditional Access policy result (Success, Failure, Not Applied, etc.)

    Tips

    • If you're behind multiple proxies or regional egress IPs, add them all to the named location.
    • Azure reads the client public IP, so NAT or forward proxies must expose the correct external address.
    • Be cautious when blocking access based on IP — always test with a break-glass account excluded from the policy.


    Was this article helpful?