Source IP restoration
With a cloud based network proxy between users and their resources, the IP address that the resources see doesn't match the actual source IP address. In place of the end-users’ source IP, the resource endpoints see the cloud proxy as the source IP address. Customers with these cloud proxy solutions can't use this source IP information.
Source IP restoration in Global Secure Access (preview) allows backward compatibility for Microsoft Entra customers to continue using original user Source IP. Administrators can benefit from the following capabilities:
- Continue to enforce Source IP-based location policies across both Conditional Access and continuous access evaluation
- Identity Protection risk detections get a consistent view of original user Source IP address for assessing various risk scores.
- Original user Source IP is also made available in Microsoft Entra sign-in logs.
- Administrators who interact with Global Secure Access preview features must have both of the following role assignments depending on the tasks they're performing.
- The preview requires a Microsoft Entra ID P1 license. If needed, you can purchase licenses or get trial licenses.
- When source IP restoration is enabled, you can only see the source IP. The IP address of the Global Secure Access service isn't visible. If you want to see the Global Secure Access service IP address, disable source IP restoration.
Enable Global Secure Access signaling for Conditional Access
To enable the required setting to allow source IP restoration, an administrator must take the following steps.
- Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
- Browse to Global Secure Access > Global settings > Session management > Adaptive Access.
- Select the toggle to Enable Global Secure Access signaling in Conditional Access.
This functionality allows services like Microsoft Graph, Microsoft Entra ID, SharePoint Online, and Exchange Online to see the actual source IP address.
If your organization has active Conditional Access policies based on IP location checks, and you disable Global Secure Access signaling in Conditional Access, you may unintentionally block targeted end-users from being able to access the resources. If you must disable this feature, first delete any corresponding Conditional Access policies.
Sign-in log behavior
To see source IP restoration in action, administrators can take the following steps.
- Sign in to the Microsoft Entra admin center as at least a Security Reader.
- Browse to Identity > Users > All users > select one of your test users > Sign-in logs.
- With source IP restoration enabled, you see IP addresses that include their actual IP address.
- If source IP restoration is disabled, you can't see their actual IP address.
Sign-in log data may take some time to appear, this delay is normal as there's some processing that must take place.
Your use of the Microsoft Entra Private Access and Microsoft Entra Internet Access preview experiences and features is governed by the preview online service terms and conditions of the agreement(s) under which you obtained the services. Previews may be subject to reduced or different security, compliance, and privacy commitments, as further explained in the Universal License Terms for Online Services and the Microsoft Products and Services Data Protection Addendum (“DPA”), and any other notices provided with the Preview.