Restrict Access to Active Directory based on IP range


  • I need to restrict access to Azure Active Directory Application based on subnets. I am accessing Azure Active Directory to get Access Token using AD App's Client ID and Client Secret in C# VSTO Outlook Add in project. I want to allow some defined subnets to access AD using this Outlook Addin(Outlook add in will be defined on their machines) and restrict others. Where can I configure that IP range in AD application that will restrict access for other sub-nets to that application.

    I have tried specifying the IP range in app configuration page in multi factor authentication conditional access, but it didnt work. What else do I need to to? Any help will be appreciated.

    Thursday, March 16, 2017 10:54 AM

All replies

  • You can't as far as I know.

    The IP Range you configure in MFA is to define the "home subnets" so that you don't get prompted for MFA on the corporate network for instance whereas you do get prompted in other locations.

    Azure AD will allow token acquisition from all sources.

    If you want to get creative you can write code in your app/plugin, but that easily becomes a hassle to support.

    Thursday, March 16, 2017 11:10 AM