Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
When you use cloud-based network proxy and SSE solutions, they abstract the original source IP of the user from the service that the user connects to. Instead, the service detects the user's IP address as the egress address of the cloud-based network proxy. While this abstraction helps with privacy-related concerns in consumer scenarios, not having the original source IP information makes it difficult to achieve enterprise security goals. For example, without an actual client egress IP address, you can't apply Microsoft Entra ID Conditional Access policies based on your organization's well-known IP addresses, and audit logs don't reflect accurate location information.
Source IP restoration is part of the Adaptive Access feature of Microsoft Entra Internet Access for Microsoft Services. Source IP restoration detects and securely communicates the original egress IP address of the end user to Microsoft Entra ID and Microsoft Graph, bringing the following benefits to your organization:
- You can continue to enforce IP-based location policies in Microsoft Entra ID Conditional Access.
- It improves the accuracy of risk detection in Microsoft Entra ID Protection risk detections.
- It elevates your threat detection and response by recording accurate source IP in Microsoft Entra sign-in logs and in Microsoft Entra audit logs.
Note
To achieve source IP restoration for non-Microsoft apps, you must also configure Conditional Access policies and ensure traffic flows through a compliant network. For more information, see Enable compliant network check with Conditional Access.
Prerequisites
- Administrators who interact with Global Secure Access features must have both of the following role assignments depending on the tasks they're performing:
- The Global Secure Access Administrator role role to manage the Global Secure Access features.
- The Conditional Access Administrator to create and interact with Conditional Access policies.
- The product requires Microsoft Entra ID P1 licenses. For details, see the licensing section of What is Global Secure Access. If needed, you can purchase licenses or get trial licenses.
- You must enable the Microsoft Traffic Profile to use Source IP restoration.
Known limitations
For detailed information about known issues and limitations, see Known limitations for Global Secure Access.
Enable Global Secure Access signaling for Conditional Access
Note
Source IP restoration is now enabled by default for new tenants. If you enabled Global Secure Access features in your tenant before June 2025, you might need to explicitly enable source IP restoration.
To enable the required setting to allow source IP restoration, an administrator must take the following steps.
- Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
- Browse to Global Secure Access > Settings > Session management > Adaptive Access.
- Select the toggle to Enable Conditional Access Signaling for Microsoft Entra ID.
By using this functionality, Microsoft Entra ID and Microsoft Graph receive the public egress source IP address of the user.
Caution
If your organization has active Conditional Access policies based on IP location checks, and you disable Global Secure Access signaling in Conditional Access, you might unintentionally block targeted end users from accessing the resources. If you must disable this feature, first delete any corresponding Conditional Access policies.
Sign-in log behavior
To see source IP restoration in action, administrators can take the following steps.
- Sign in to the Microsoft Entra admin center as at least a Security Reader.
- Browse to Entra ID > Users > select one of your test users > Sign-in logs.
- When you enable source IP restoration, you see IP addresses that include the user's actual IP address.
- When you disable source IP restoration, you can't see the user's actual IP address.
Sign-in log data might take some time to appear. This delay is normal because the data undergoes some processing before it appears.
