Will Microsoft Graph support service tags for IP-based Conditional Access Policies?

Question

Will Microsoft Graph support service tags for IP-based Conditional Access Policies?

Alyssa Williams (ODSP) 20 Microsoft Employee

Hi,
I work on a tenant factory microservice. Our job is to provision tenants for internal use to Microsoft teams for testing, monitoring, etc. We have been tasked with locking down tenants to only be accessible for approved IP ranges. We allow default access to tenants from Microsoft Public IPs, which I've retrieved from a published JSON document. However, we also need to provide expanded access to tenants based on clients' needs. I'm interested in using service tags to accomplish this, by allowing clients to provide their service tags and using the tags to configure conditional access policies on behalf of the tenant. This would allow for the IP ACLs to update dynamically if the service tags are updated. Currently, conditional access policies within a tenant do not give the ability to use a service tag directly. Instead, it seems like I'll have to fetch the list of IP ranges associated with a service tag and use them to indirectly create an IP ACL, which doesn't create as dynamic of an IP ACL as using service tags would. I know that service tags can be used to create Virtual Network Security Group rules and I'm wondering if you all have any plans to allow users to create Microsoft Entra Conditional Access Policies service tags.

Navya 18,835 Reputation points Microsoft External Staff Moderator

2025-05-05T09:18:05.2533333+00:00

Hi @Alyssa Williams (ODSP)

Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Navya 18,835 Reputation points Microsoft External Staff Moderator

2025-05-06T11:35:43.33+00:00

Hi @Alyssa Williams (ODSP)

Following up to see if the below answer was helpful. Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions. if you have any further query do let us know.

Accepted answer

0 additional answers

Your answer

Navya 18,835 Reputation points Microsoft External Staff Moderator

2025-05-05T09:18:05.2533333+00:00

Hi @Alyssa Williams (ODSP)

Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Navya 18,835 Reputation points Microsoft External Staff Moderator

2025-05-06T11:35:43.33+00:00

Hi @Alyssa Williams (ODSP)

Following up to see if the below answer was helpful. Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions. if you have any further query do let us know.

Answer 1

Hi @Alyssa Williams (ODSP)

Microsoft Entra Conditional Access policies currently do not support direct use of service tags, unlike Network Security Group rules, which can reference service tags to control traffic. Instead, Conditional Access requires defining Named Locations with specific IP ranges.

I kindly request you to share your feedback on our feedback channel: https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789

This forum is open to the user community for upvoting and commenting. It helps our product teams effectively prioritize your request against the existing feature backlog and provides insight into the potential impact of implementing the suggested feature.

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

Will Microsoft Graph support service tags for IP-based Conditional Access Policies?

0 additional answers

Your answer