SaaS app gating with Twingate and Microsoft Entra ID enables you to require an authorized connection to a Twingate Connector as a prerequisite for IdP Auth to a SaaS Resource. This is similar in concept to IP whitelisting inside a SaaS app, but the IP check and approval/disapproval happens at the IdP Auth stage instead of being configured in the SaaS application directly.

Twingate Admin Console Prerequisites

As this use case is dependent on an IP address associated with one or more Twingate Connectors, the first step is to create a Twingate Resource associated with your organization’s Entra ID tenant URL (e.g. mycompany.office.com) and associating that Resource with one or more Groups. Doing this means that authorized users attempting to authenticate through Entra ID will be coming from the exit IP address associated with the Twingate Remote Network used to enable connectivity to the new Resource. This is the IP address you’ll use as part of the Entra ID Conditional Access Policy configuration.

Create a Named Location for Entra ID

In the Entra ID Portal, you’ll first need to create a trusted “Named location” for the Twingate Remote Network.

Named locations are a type of Conditional Access in Entra ID. More information on creating and configuring Named locations is available in the Entra ID documentation.

When configuring the IP address for the new Named location, you need to use the address associated with the Connector(s) supporting the Remote Network. This is typically the IP address of a NAT gateway used by the Connectors for egress.

Create the Conditional Access Policy

To use the Named location that you created in the previous step, please follow the Entra ID documentation for setting a location condition. Chose the app(s) you’d like to restrict when defining the policy. When you select the type of location condition, choose Selected locations and the trusted Named location that you created in the previous step.

This rule ensures that attempts to access the assigned app(s) will only be allowed if the user is connected to Twingate with an authorized account that belongs to the correct Twingate Group.