![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 71%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELC%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 85%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Hello Lehmann, Carlos-MGB ,
Azure Workload Identity does not have a dedicated or separate set of IP addresses that can be whitelisted. The token issuance and federation flow uses the same Microsoft Entra ID (Azure AD) authentication endpoints as other OIDC/SAML-based sign-ins.
If your self‑hosted GitLab instance requires IP-based allowlisting, the supported approach is to whitelist the AzureActiveDirectory service tag. This service tag represents the full set of outbound IP ranges used by Microsoft Entra ID for authentication and token issuance, including workload identity federation.
There is no supported way to narrow this down further to “workload identity only” IPs. Microsoft recommends:
- Using the AzureActiveDirectory service tag
- Keeping the IP list updated (weekly) via the Service Tags JSON or Service Tag Discovery API
If strict IP allowlisting is not feasible, the preferred alternative is to rely on OIDC trust + certificate/issuer validation rather than IP-based filtering.
Hope this helps clarify the expected configuration.