IP Ranges to allow traffic from the Microsoft Entra provisioning service into our application (snowflake in our case)

Question

IP Ranges to allow traffic from the Microsoft Entra provisioning service into our application (snowflake in our case)

Ananda Bhat 5

Document says below: but i dont see any tag with the name "Microsoft Entra ID" in the IP range file

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2024-03-05T17:24:22.74+00:00

@Ananda Bhat

I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Ananda Bhat 5 Reputation points

2024-03-08T18:50:49.3+00:00

Few of the Ip address which is trying to perform the autoprovisioning from Entra to snowflake are not under "AzureActiveDirectory". I am little confused
Danny Zollner 10,801 Reputation points Microsoft Employee Moderator

2024-03-11T17:01:22.5533333+00:00

@Ananda Bhat Can you provide a few examples of IP addresses you're seeing that are making calls to the SCIM API but aren't in the AzureActiveDirectory grouping of IP ranges?
Ananda Bhat 5 Reputation points

2024-03-11T18:25:21.76+00:00

@Danny Zollner , below are IP addresses

20.190.151.32

20.190.155.39

40.126.25.32

40.126.4.44

40.126.27.32
Ananda Bhat 5 Reputation points

2024-03-11T18:54:05.9733333+00:00

Also is the whitelisting of IP's is only the option or is there any other private way of auto provisioning
Ananda Bhat 5 Reputation points

2024-03-11T18:56:32.4333333+00:00

Hello, Below are the IP addresses which is not present in the AzureActiveDirectory session. Could you please take a look it?

3 answers

Your answer

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2024-03-05T17:24:22.74+00:00

@Ananda Bhat

I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Ananda Bhat 5 Reputation points

2024-03-08T18:50:49.3+00:00

Few of the Ip address which is trying to perform the autoprovisioning from Entra to snowflake are not under "AzureActiveDirectory". I am little confused
Danny Zollner 10,801 Reputation points Microsoft Employee Moderator

2024-03-11T17:01:22.5533333+00:00

@Ananda Bhat Can you provide a few examples of IP addresses you're seeing that are making calls to the SCIM API but aren't in the AzureActiveDirectory grouping of IP ranges?
Ananda Bhat 5 Reputation points

2024-03-11T18:25:21.76+00:00

@Danny Zollner , below are IP addresses

20.190.151.32

20.190.155.39

40.126.25.32

40.126.4.44

40.126.27.32
Ananda Bhat 5 Reputation points

2024-03-11T18:54:05.9733333+00:00

Also is the whitelisting of IP's is only the option or is there any other private way of auto provisioning
Ananda Bhat 5 Reputation points

2024-03-11T18:56:32.4333333+00:00

Hello, Below are the IP addresses which is not present in the AzureActiveDirectory session. Could you please take a look it?

Answer 1

JamesTran-MSFT 36,911 Microsoft Employee Moderator

@Ananda Bhat

Thank you for your post!

When it comes to the documentation that you're referring to, I'm assuming that it's the - Develop and plan provisioning for a SCIM endpoint in Microsoft Entra ID IP Ranges section.

User's image

If this is the case, when it comes to the linked Azure IP Ranges and Service Tags – Public Cloud (ServiceTags_Public_20240227.json) download, you'll find the IP ranges for MS Entra ID (formerly Azure AD) by searching for the AzureActiveDirectory tag.

User's image

Additional Links:

I hope this helps!

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Danny Zollner 10,801 Reputation points Microsoft Employee Moderator

2024-03-11T19:38:56.6066667+00:00

@Ananda Bhat Responding to your question (in comments, above) on source/originating IP addresses not being in the list that James linked.

The list that James provided documents IP address ranges, not individual IP addresses. Under the AzureActiveDirectory section, the IP ranges 40.126.0.0/18 and 20.190.128.0/18 are listed. Each of these ranges are made up of 16,384 IP addresses. All 5 of the specific IP addresses you provided are included within those two ranges.

If you aren't comfortable with how subnets work in IPv4 networking, I'd recommend using a tool to calculate this. A number of them exist and can be located via a search engine using terms like "subnet calculator".

I've included a picture of the output of a reputable 3rd party subnet calculator that I located using the above search engine terms. I've highlighted the most important fields.
Ananda Bhat 5 Reputation points

2024-03-29T18:11:42.4433333+00:00

I tried using the API which is listed in the above article to retrieve the tags with the IP

GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Network/locations/{location}/serviceTags?api-version=2023-09-01

But is giving me a black json. Any idea why it could be ?

{

"value": [],

"nextLink": ""

}
Ananda Bhat 5 Reputation points

2024-04-01T19:50:51.2133333+00:00

Any help is appreciated
Ananda Bhat 5 Reputation points

2024-04-01T19:51:28.7+00:00

@Danny Zollner
Rory Donaldson 0 Reputation points

2024-09-17T15:32:03.24+00:00

@Danny Zollner @JamesTran-MSFT Something isn't quite right here. Using SCIM provisioning, I'm getting REST events on Snowflake originating from 20.190.129.80 and 20.190.137.45. These IPs are not in ranges under the AzureActiveDirectory tag, but instead are under AzureCloud, AzureCloud.westeurope and AzureCloud.northeurope.

Looks like the AzureActiveDirectory tag IP list is incomplete. Where can I raise this issue?
Danny Zollner 10,801 Reputation points Microsoft Employee Moderator

2024-09-17T18:46:28.4966667+00:00

Hi Rory,

Those IP addresses are in the AzureActiveDirectory IPv4 ranges currently available in the ServiceTags_Public_20240916.json file I just downloaded.

The range 20.190.128.0/18 is listed under AzureActiveDirectory and the /18 CIDR block translates to the IP addresses between 20.190.128.1 and 20.190.191.254.

Answer 2

Andy David - MVP 157.8K MVP Volunteer Moderator

search for "azure" instead in that json. https://learn.microsoft.com/en-us/answers/questions/1355195/azure-ad-scim-provisioning-calls-not-made-from-doc

Answer 3

Hello Ananda Bhat.

The Microsoft Entra ID service uses a range of IP addresses for its operations. However, these IP ranges are not tagged specifically as “Microsoft Entra ID” in the IP range file. Instead, they are part of the larger set of IP ranges used by Microsoft services.

To allow traffic from Microsoft Entra into your application, you would typically define a named location in your Conditional Access policy with the necessary IP ranges Named locations can be defined by IPv4 and IPv6 address ranges.

You can configure up to 2000 IP ranges per named location

Please note that the specific IP ranges used by Microsoft Entra ID may change over time, so it’s important to keep your configuration updated. Microsoft provides a JSON formatted list of all required and optional destinations, which is updated regularly

If this information provided here helps solve your issue, please tag this as answered, so it helps further community readers, who may have similar questions.

Ananda Bhat 5 Reputation points

2024-03-08T02:30:40.72+00:00

Thank you for the response. I am little confused here, from where to get the list of IP ranges? from the Json file? if yes which section with in that need to be considered

Share via

IP Ranges to allow traffic from the Microsoft Entra provisioning service into our application (snowflake in our case)

3 answers

Your answer