Add Proxy IP to Azure Conditional Access Policy

Prev Next

This guide explains how to add your proxy or outbound firewall IP address to an Azure Conditional Access policy in Microsoft Entra ID (formerly Azure AD).

This helps you:

  • Restrict access to corporate network locations
  • Bypass MFA for trusted IPs (such as proxy or VPN egress points)
  • Enforce stricter policies for external or untrusted sources

Prerequisites

  • Global Administrator or Security Administrator role in Azure AD
  • Knowledge of your proxy/firewall's external (egress) IP address
  • Azure AD Premium P1 or P2 license (Conditional Access requires this)

Step 1 - Sign in to the Azure Portal

Step 2 - Navigate to Conditional Access

  • From the side menu:
    • Click Protection โ†’ Conditional Access.
    • Click an existing policy or click + New policy to create one.

Step 3 - Configure Conditions Based on Locations

  • Under your policy:
    • Click Conditions โ†’ Locations.
    • Set the toggle to Yes.

Step 4 - Define Named Locations

  • Click Select locations โ†’ then + Named location.
  • Provide a meaningful name, e.g., Trusted Proxy IP.
  • Under IP ranges, add your proxy or firewallโ€™s public IP(s).
  • Check the box if this IP should be marked as trusted (for MFA or device compliance rules).

Step 5 - Apply the Named Location

  • Once the named location is saved:
    • Navigate back to the Select locations screen.
  • Select either:
    • Include โ†’ to apply the policy only when users are coming from that proxy IP
    • Exclude โ†’ to bypass the policy for that IP (e.g., exclude from MFA)

Step 6 - Complete the Policy

  • Under Assignments, choose users/groups to apply the policy to.

  • Under Access controls, choose:

    • Grant โ†’ Block or allow access
    • Session โ†’ Optional controls like sign-in frequency

  • Set Enable Policy to On.

  • Click Create or Save.

Example Use Cases

Scenario Action in Conditional Access Policy
Bypass MFA for users behind proxy Exclude proxy IP under "Locations" condition
Require MFA unless on proxy Include All IPs, then Exclude proxy IP
Allow access only from proxy Include only the proxy IP as named location

Testing and Logs

  • Use Sign-in logs in Microsoft Entra ID to verify:
    • The IP seen by Azure matches your proxy/firewall's egress IP
    • The Conditional Access policy result (Success, Failure, Not Applied, etc.)

Tips

  • If you're behind multiple proxies or regional egress IPs, add them all to the named location.
  • Azure reads the client public IP, so NAT or forward proxies must expose the correct external address.
  • Be cautious when blocking access based on IP โ€” always test with a break-glass account excluded from the policy.