How to Configure SaaS App Gating with Microsoft Entra ID (formerly Azure Active Directory)

How to configure Microsoft Entra ID and Twingate to protect access to SaaS applications

SaaS app gating with Twingate and Microsoft Entra ID enables you to require an authorized connection to a Twingate Connector as a prerequisite for IdP Auth to a SaaS Resource. This is similar in concept to IP whitelisting inside a SaaS app, but the IP check and approval/disapproval happens at the IdP Auth stage instead of being configured in the SaaS application directly.

Twingate Admin Console Prerequisites

  • Add your IdP’s authentication FQDN as a Resource. As this use case is dependent on an IP address associated with one or more Twingate Connectors, the first step is to create a Twingate Resource associated with your organization’s Entra ID tenant URL or the generic login (e.g., tenant.office.com, login.microsoftonline.com) and associating that Resource with one or more Groups. Doing this means that authorized users attempting to authenticate through Entra ID will be coming from the exit IP address associated with the Twingate Remote Network used to enable connectivity to the new Resource. This is the IP address you’ll use as part of the Entra ID Conditional Access Policy configuration.

  • Apply a Device-only Policy to Your IdP Resource. A Device-only Resource Policy, when applied to the IdP Resource (e.g., tenant.office.com, login.microsoftonline.com), allows users to route traffic through the Connector to access the IdP login portal without authentication dependencies that can create access loops. This policy prevents the common “chicken-or-egg” scenario, where users can’t authenticate with the IdP because network access to the IdP portal requires prior authentication via Twingate. By allowing users to reach the IdP through a Device-only policy, they can meet sign-on requirements without encountering this authentication loop.

Create a Named Location for Entra ID

In the Entra ID Portal, you’ll first need to create a trusted “Named location” for the Twingate Remote Network.

Named locations are a type of Conditional Access in Entra ID. More information on creating and configuring Named locations is available in the Entra ID documentation.

When configuring the IP address for the new Named location, you need to use the address associated with the Connector(s) supporting the Remote Network. This is typically the IP address of a NAT gateway used by the Connectors for egress.

Create the Conditional Access Policy

To use the Named location that you created in the previous step, please follow the Entra ID documentation for setting a location condition. Chose the app(s) you’d like to restrict when defining the policy. When you select the type of location condition, choose Selected locations and the trusted Named location that you created in the previous step.

This rule ensures that attempts to access the assigned app(s) will only be allowed if the user is connected to Twingate with an authorized account that belongs to the correct Twingate Group.

Last updated 25 days ago