Source IP restoration

With a cloud based network proxy between users and their resources, the IP address that the resources see doesn't match the actual source IP address. In place of the end-users’ source IP, the resource endpoints see the cloud proxy as the source IP address. Customers with these cloud proxy solutions can't use this source IP information.

Source IP restoration in Global Secure Access allows backward compatibility for Microsoft Entra customers to continue using original user Source IP. Administrators can benefit from the following capabilities:

• Continue to enforce Source IP-based location policies across both Conditional Access and continuous access evaluation.
• Microsoft Entra ID Protection risk detections get a consistent view of original user Source IP address for assessing various risk scores.
• Original user Source IP is also made available in Microsoft Entra sign-in logs.

Prerequisites

• Administrators who interact with Global Secure Access features must have both of the following role assignments depending on the tasks they're performing.
  • The Global Secure Access Administrator role role to manage the Global Secure Access features.
  • The Conditional Access Administrator to create and interact with Conditional Access policies.
• The product requires licensing. For details, see the licensing section of What is Global Secure Access. If needed, you can purchase licenses or get trial licenses.

Known limitations

This feature has one or more known limitations. For more detailed information about the known issues and limitations of this feature, see Known Limitations for Global Secure Access.

Enable Global Secure Access signaling for Conditional Access

To enable the required setting to allow source IP restoration, an administrator must take the following steps.

1. Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
2. Browse to Global Secure Access > Settings > Session management > Adaptive Access.
3. Select the toggle to Enable Global Secure Access signaling in Conditional Access.

This functionality allows services like Microsoft Graph, Microsoft Entra ID, SharePoint Online, and Exchange Online to see the actual source IP address.

Caution

If your organization has active Conditional Access policies based on IP location checks, and you disable Global Secure Access signaling in Conditional Access, you may unintentionally block targeted end-users from being able to access the resources. If you must disable this feature, first delete any corresponding Conditional Access policies.

Sign-in log behavior

To see source IP restoration in action, administrators can take the following steps.

1. Sign in to the Microsoft Entra admin center as at least a Security Reader.
2. Browse to Identity > Users > All users > select one of your test users > Sign-in logs.
3. With source IP restoration enabled, you see IP addresses that include their actual IP address.
   • If source IP restoration is disabled, you can't see their actual IP address.

Sign-in log data might take some time to appear this delay is normal as there's some processing that must take place.

Related content

• Set up tenant restrictions v2 (preview)
• Enable compliant network check with Conditional Access
• Strictly enforce location policies using continuous access evaluation