Azure Active Directory SaaS App Gating

Let's configure Azure AD to only allow access to SaaS Applications when behind Twingate.

SaaS app gating with Twingate and Azure Active Directory enables you to require an authorized connection to a Twingate Connector as a prerequisite for IdP Auth to a SaaS Resource. This is similar in concept to IP whitelisting inside a SaaS app, but the IP check and approval/disapproval happens at the IdP Auth stage instead of being configured in the SaaS application directly.

Twingate Admin Console Prerequisites

As this use case is dependent on an IP address associated with one or more Twingate Connectors, the first step is to create a Twingate Resource associated with your organization’s Azure AD tenant URL (e.g. and associating that Resource with one or more Groups. Doing this means that authorized users attempting to authenticate through Azure AD will be coming from the exit IP address associated with the Twingate Remote Network used to enable connectivity to the new Resource. This is the IP address you’ll use as part of the Azure AD Conditional Access Policy configuration.

Create a Named Location for Azure AD

In the Azure AD Portal, you’ll first need to create a trusted “Named location” for the Twingate Remote Network.

Named locations are a type of Conditional Access in Azure AD. More information on creating and configuring Named locations is available in the Azure AD documentation.

When configuring the IP address for the new Named location, you need to use the address associated with the Connector(s) supporting the Remote Network. This is typically the IP address of a NAT gateway used by the Connectors for egress.

Create the Conditional Access Policy

To use the Named location that you created in the previous step, please follow the Azure AD documentation for setting a location condition. Chose the app(s) you’d like to restrict when defining the policy. When you select the type of location condition, choose Selected locations and the trusted Named location that you created in the previous step.

This rule ensures that attempts to access the assigned app(s) will only be allowed if the user is connected to Twingate with an authorized account that belongs to the correct Twingate Group.

Last updated 3 minutes ago