This guide explains how to add your **proxy or outbound firewall IP address** to an **Azure conditional access** policy in Microsoft Entra ID (formerly Azure AD). This helps you: - Restrict access to corporate network locations - Bypass MFA for trusted IPs (such as proxy or VPN egress points) - Enforce stricter policies for external or untrusted sources --- ## Prerequisites - **Global administrator** or **security administrator** role in Azure AD - Knowledge of your **proxy/firewall's external (egress) IP address** - Azure AD Premium P1 or P2 license (conditional access requires this) --- ## Step 1 - Sign in to the Azure portal - Navigate to [https://portal.Azure.com](https://portal.Azure.com) - Launch the **Microsoft Entra ID** blade (formerly **Azure Active Directory**) --- ## Step 2 - Navigate to conditional access - From the side menu: - Click **Protection** → **Conditional access**. - Click an existing policy **or** click **+ New policy** to create one. --- ## Step 3 - Configure conditions based on locations - Under your policy: - Click **Conditions** → **Locations**. - Set the toggle to **Yes**. --- ## Step 4 - Define named locations - Click **Select locations** → then **+ Named location**. - Provide a meaningful name, e.g.,`Trusted Proxy IP`. - Under **IP ranges**, add your proxy or firewall's public IP(s). - Check the box if this IP should be marked as **trusted** (for MFA or device compliance rules). --- ## Step 5 - Apply the named location - Once the named location is saved: - Navigate back to the **Select locations** screen. - Select either: - **Include** → to apply the policy *only* when users are coming from that proxy IP - **Exclude** → to *bypass* the policy for that IP (e.g., exclude from MFA) --- ## Step 6 - Complete the policy - Under **assignments**, choose users/groups to apply the policy to. - Under **access controls**, choose: - **Grant** → block or allow access - **Session** → optional controls like sign-in frequency - Set **Enable policy** to **On**. - Click **Create** or **Save**. --- ## Example use cases | Scenario | Action in conditional access policy | |----------------------------------------|------------------------------------------------| | Bypass MFA for users behind proxy | Exclude proxy IP under "locations" condition | | Require MFA unless on proxy | Include all IPs, then exclude proxy IP | | Allow access only from proxy | Include only the proxy IP as named location | --- ## Testing and logs - Use **sign-in logs** in Microsoft Entra ID to verify: - The IP seen by Azure matches your proxy/firewall's egress IP - The conditional access policy result (`Success`,`Failure`,`Not Applied`, etc.) --- ## Tips - If you're behind multiple proxies or regional egress IPs, add them all to the named location. - Azure reads the **client public IP**, so NAT or forward proxies must expose the correct external address. - Be cautious when blocking access based on IP — always test with a break-glass account excluded from the policy. ---