Applies to Dynamics 365 (online), version 9.x
Applies to Dynamics 365 (online), version 8.x

You can limit access to Dynamics 365 (online) to users with trusted IP addresses to reduce unauthorized access. When trusted IP address restrictions are set in a user’s profile and the user tries to log in from an untrusted IP address, access to Dynamics 365 (online) is blocked.


  • A subscription to Azure Active Directory Premium.

  • A federated or managed Azure Active Directory tenant.

  • Federated tenants require that multi-factor authentication (MFA) be enabled.

Additional security considerations

IP restriction is only enforced during user authentication. This is done by the Azure Active Directory Conditional Access capability. Dynamics 365 (online) sets a session timeout limit to balance protecting user data and the number of times users are prompted for their sign-in credentials. Trusted IP restriction for devices (including laptops) is not applied until the Dynamics 365 (online) session timeout expires.

For example, a trusted IP restriction is setup to only allow access to Dynamics 365 when users are working from a corporate office. When a Dynamics 365 user signs in into Dynamics 365 using their laptop from their office and establishes a Dynamics 365 session, the user can continue to access Dynamics 365 after leaving the office until the Dynamics 365 session timeout expires. This behavior also applies to mobile and offsite connections such as: Dynamics 365 for phones and tablets, and Dynamics 365 App for Outlook.

Create security group (optional)

You can restrict access to all Users or groups of users. It's more efficient to restrict by a group if only a subset of your Azure Active Directory (AAD) users are accessing Dynamics 365 (online).

  1. Sign in to your Azure portal.

  2. Click Browse > Active Directory, and then select your Dynamics 365 (online) directory.

  3. Click Groups > Add Group, and then fill in the settings to create a new group.

    Create a security group

  4. Click the group you created and add members.

    Add members to a restricted group

Create a location based access rule

Access restriction is set using Azure Active Directory (AD) Conditional Access. See Getting started with conditional access to Azure AD. You control Conditional Access through an access rule.


Setting Conditional Access is only available with an Azure Active Directory Premium license. Upgrade your Azure AD to a Premium license in the Office 365 admin center ( > Billing > Purchase services).

  1. Sign in to your Azure portal.

  2. Click Browse > Active Directory, and then select your Dynamics 365 (online) directory.

  3. Click Applications, and then click the Dynamics 365 Online web application.

    Select the Dynamics 365 (online) web app

  4. Click Configure.

    Configure Active Directory properties for Dynamics 365 (online) instance

  5. Set the following on the Properties page:

    1. Set Enable Access Rule to On.

    2. Optional: Set Apply to to Groups.

    3. Optional: Click Add Group to select a group.

    4. Set Rules to Block access when not at work.

      Set rule to Block access when not at work

    5. Click Save > OK.

    6. Click Click here to define/edit your work network location.

      Define or edit you work network location

  6. Enter trusted IP addresses (using CIDR notation).

    Enter trusted IP addresses

  7. Click Save.