Resolving Microsoft Entra CAE policies blocking Revenue Grid access¶

Issue¶
After Revenue Grid migrates to Nested App Authentication—due to Microsoft’s deprecation of legacy tokens—some Microsoft 365 users may experience an issue where the Sidebar gets stuck in an endless loading loop when opened.
Cause¶
This issue occurs because the new Microsoft Graph tokens used in Nested App Authentication trigger Continuous Access Evaluation (CAE) policies configured in Microsoft Entra ID.
If Revenue Grid infrastructure IPs are not added to the list of trusted locations and excluded from the relevant CAE policies, Microsoft Entra detects the new token activity as originating from an untrusted location. As a result, access is denied because the IP address falls outside the allowed range.
For more details on how Continuous Access Evaluation policies work, see Continuous access evaluation.
Resolution¶
To resolve the issue, a Microsoft Entra administrator must take the following steps in the Microsoft Azure portal:
- Add the required Revenue Grid infrastructure IP addresses to the IP ranges location list and mark them as trusted. See this section for instructions.
- Update all relevant Conditional Access policies to exclude All trusted networks and locations. See this section for instructions.
For the list of Revenue Grid IP addresses that must be allowed, see this section.
How to add IPs to the list of trusted locations¶
- Log in to the Microsoft Azure portal as a Microsoft 365 administrator.
-
Search for and select Microsoft Entra Conditional Access.
-
Go to Manage > Named locations, then click + IP ranges locations.
-
In the Name field, enter a descriptive name for the IP range.
-
Add the corresponding Revenue Grid IPs from the Revenue Grid IPs list, based on your data locality:
- Click the Plus icon ()
- In the Enter a new IPv4 or IPv6 range field paste the Revenue Grid IP.
- Click Add.
- Repeat for each IP.
-
Check Mark as trusted location.
-
Click Create.
The new location will appear in the Named locations list.
How to exclude trusted locations from the Conditional Access policies¶
- Log in to the Microsoft Azure portal as a Microsoft 365 administrator.
-
Search for and select Microsoft Entra Conditional Access.
-
Go to the Policies.
-
For each policy applied to users of Revenue Grid solutions:
- Open the policy.
-
Click the link in the Network section.
-
In the form that appears, click Exclude and select All trusted networks and locations.
d. In the bottom of the page, click Save.
After completing these steps, users will be able to access the Revenue Grid Sidebar without being blocked by Continuous Access Evaluation (CAE) policies.
Revenue Grid IPs list¶
IPs for US customers¶
Dedicated IPs for Central US:
20.221.113.244/31 mask
Dedicated IPs for Eastern US:
20.10.227.12/31 mask
IPs for EU customers¶
If you require EU-only data locality and have confirmed with the Revenue Grid team that your tenant has the Data Locality feature enabled, allow-list only the following dedicated EU IP ranges:
Dedicated IPs for Western Europe:
4.175.104.56/31 mask
Dedicated IPs for Northern Europe:
20.54.104.14/31 mask
IPs for Asia–Pacific customers¶
If you require EU-only data locality and have confirmed with the Revenue Grid team that your tenant has the Data Locality feature enabled, allow-list only the following dedicated EU IP ranges:
Dedicated IPs for Southeast Asia:
20.197.72.52/31 mask
Dedicated IPs for East Asia:
20.239.104.20/31 mask