Restrict access to CRM Online with trusted IP Rules

Applies To: Dynamics CRM Online

You can limit access to CRM Online to users with   trusted IP addresses to reduce unauthorized access. When trusted IP address restrictions are set in a user’s profile and the user tries to log in from an untrusted IP address, access to CRM Online is blocked.


  • A subscription to Azure Active Directory Premium.
  • A federated or managed Azure Active Directory tenant.
  • Federated tenants require that multi-factor authentication (MFA) be enabled.

Additional security considerations

IP restriction is only enforced during user authentication. This is done by the Azure Active Directory Conditional Access capability. CRM Online sets a session timeout limit to balance protecting user data and the number of times users are prompted for their sign-in credentials. Trusted IP restriction for devices (including laptops) is not applied until the CRM Online session timeout expires.

For example, a trusted IP restriction is setup to only allow access to CRM when users are working from a corporate office. When a CRM user signs in into CRM using their laptop from their office and establishes a CRM session, the user can continue to access CRM after leaving the office until the CRM session timeout expires. This behavior also applies to mobile and offsite connections such as: CRM for phones and tablets, and Dynamics CRM App for Outlook.

Create security group (optional)

You can restrict access to all Users or groups of users. It’s more efficient to restrict by a group if only a subset of your Azure Active Directory (AAD) users are accessing CRM Online.

1. Sign in to your Azure portal .

2. Click Browse > Active Directory, and then select your CRM Online directory.

3. Click Groups > Add Group, and then fill in the settings to create a new group.

Create security group

4. Click the group you created and add members.

Add members to group

Create a location based access rule

Access restriction is set using Azure Active Directory (AD) Conditional Access. See Getting started with conditional access to Azure AD. You control Conditional Access through an access rule.

Setting Conditional Access is only available with an Azure Active Directory Premium license. Upgrade your Azure AD to a Premium license in the Office 365 admin center ( > Billing >Purchase services).

1. Sign in to your Azure portal.

2. Click Browse > Active Directory, and then select your CRM Online directory.

3. Click Applications, and then click the Dynamics CRM Online web application.

Create a location based access rule

4. Click Configure.

Configure Dynamics CRM online

5. Set the following on the Properties page:

  • Set Enable Access Rule to On.
  • Optional: Set Apply to to Groups.
  • Optional: Click Add Group to select a group.
  • Set Rules to Block access when not at work.

Set properties for access rules

  • Click Save > OK.
  • Click Click here to define/edit your work network location.

Edit your work network location

6. Enter trusted IP addresses (using CIDR notation) and click Save.

Multi-factor authentication