Редагувати

Поділитися через


Source IP restoration

With a cloud based network proxy between users and their resources, the IP address that the resources see doesn't match the actual source IP address. In place of the end-users’ source IP, the resource endpoints see the cloud proxy as the source IP address. Customers with these cloud proxy solutions can't use this source IP information.

Source IP restoration in Global Secure Access allows backward compatibility for Microsoft Entra customers to continue using original user Source IP. Administrators can benefit from the following capabilities:

Prerequisites

Known limitations

When source IP restoration is enabled, you can only see the source IP. The IP address of the Global Secure Access service isn't visible. If you want to see the Global Secure Access service IP address, disable source IP restoration.

Source IP restoration is currently supported for only Microsoft traffic, like SharePoint Online, Exchange Online, Teams, and Microsoft Graph. If you have any IP location-based Conditional Access policies for non-Microsoft resources protected by continuous access evaluation (CAE), these policies aren’t evaluated at the resource as the source IP address isn’t known to the resource.

If you're using CAE’s strict location enforcement, users are blocked despite being in a trusted IP range. To resolve this condition, do one of the following recommendations:

  • If you have IP location-based Conditional Access policies targeting non-Microsoft resources, don't enable strict location enforcement.
  • Ensure that the traffic is supported by Source IP Restoration, or don't send the relevant traffic through Global Secure Access.

Enable Global Secure Access signaling for Conditional Access

To enable the required setting to allow source IP restoration, an administrator must take the following steps.

  1. Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
  2. Browse to Global Secure Access > Settings > Session management > Adaptive Access.
  3. Select the toggle to Enable Global Secure Access signaling in Conditional Access.

This functionality allows services like Microsoft Graph, Microsoft Entra ID, SharePoint Online, and Exchange Online to see the actual source IP address.

Screenshot showing the toggle to enable signaling in Conditional Access.

Caution

If your organization has active Conditional Access policies based on IP location checks, and you disable Global Secure Access signaling in Conditional Access, you may unintentionally block targeted end-users from being able to access the resources. If you must disable this feature, first delete any corresponding Conditional Access policies.

Sign-in log behavior

To see source IP restoration in action, administrators can take the following steps.

  1. Sign in to the Microsoft Entra admin center as at least a Security Reader.
  2. Browse to Identity > Users > All users > select one of your test users > Sign-in logs.
  3. With source IP restoration enabled, you see IP addresses that include their actual IP address.
    • If source IP restoration is disabled, you can't see their actual IP address.

Sign-in log data might take some time to appear this delay is normal as there's some processing that must take place.

Screenshot of the sign-in logs showing events with source IP restoration on, then off, then on again.