Issue connecting Azure Sentinel GitHub app to Sentinel Instance when my organization’s GitHub IP allow list is enabled

[Jose-Rubio-BKU]

Hi everyone,

I’m running into an issue connecting the Azure Sentinel GitHub app to my Sentinel workspace in order to create our CI/CD pipelines for our detection rules, and I’m hoping someone can point me in the right direction.

Symptoms:

When configuring the GitHub connection in Sentinel, the repository dropdown does not populate.
There are no explicit errors, but the connection clearly isn’t completing.

If I disable my organization’s IP allow list, everything works as expected and the repos appear immediately.

I’ve seen that some GitHub Apps automatically add the IP ranges they require to an organization’s allow list. However, from what I can tell, the Azure Sentinel GitHub app does not seem to have this capability, and requires manual allow listing instead.

 

What I’ve tried / researched:

Reviewed Microsoft documentation for Sentinel ↔ GitHub integrations
Looked through Azure IP range and Service Tag documentation

I’ve seen recommendations to allow list the IP ranges published at //api.github.com/meta, as many GitHub apps rely on these ranges
I’ve already tried allow listing multiple ranges from the GitHub meta endpoint, but the issue persists

My questions:

Does anyone know which IP ranges are used by the Azure Sentinel GitHub app specifically?
Is there an official or recommended approach for using this integration in environments with strict IP allow lists?
Has anyone successfully configured this integration without fully disabling IP restrictions?

Any insight, references, or firsthand experience would be greatly appreciated. Thanks in advance!

[v-utpalkumar]

Hello @Jose-Rubio-BKU, I am able to see the repositories listed in the drop-down menu. I’m sharing the documentation link along with the step-by-step screenshots for your reference. Please review all the required prerequisites mentioned in the document and proceed with the configuration accordingly.

I hope I’ve understood your issue correctly and guided you in the right direction. Please follow the outlined process, and feel free to reach out if you’d like to discuss this further. Thank you!

Link: https://learn.microsoft.com/en-us/azure/sentinel/ci-cd?tabs=github#prerequisites

Screenshots:

[Jose-Rubio-BKU]

Hello @v-utpalkumar thank you for replying.

Just to clarify, I’m also able to see the repositories populate when the GitHub organization IP allow list is disabled. The issue I’m experiencing only occurs when the organization-level IP allow list is enabled.

For example, here you can see that the dropdown works and shows me the available repo's to connect. (This is when the allow list is disabled)

However, once I enable the IP Allow list setting in the GitHub organization it will stop working.

I believe the issue is I need to add the IP range the Azure-Sentinel GitHub app uses, but I have not been able to find it.

[v-utpalkumar]

Hello @Jose-Rubio-BKU, I’m looking into this and will get back to you with updates. Thank you!

[v-utpalkumar]

Hello @Jose-Rubio-BKU, I’ve looked into this, and based on my understanding, here are the current limitations and my recommendations. Please feel free to share your perspective in the discussion as well. I will review this internally with the team again and confirm with you before closing the issue. Thank you!

Limitation:
This occurs because, although authentication succeeds, Microsoft Sentinel relies on a Microsoft-hosted, multi-tenant backend service to call GitHub’s APIs and enumerate repositories, and these outbound calls originate from dynamic Azure service IPs that are neither published nor included in GitHub’s api.github.com/meta ranges. As a result, GitHub blocks the traffic under an active IP allow list, leading to a silent failure where no repositories are displayed. Allow-listing GitHub meta IPs does not resolve the issue because, while the Azure-Sentinel GitHub App exists in GitHub as an authorization mechanism, all repository and branch enumeration calls are executed from Microsoft-hosted Azure backend services rather than GitHub infrastructure. These outbound calls originate from dynamic Azure service IPs for which no documented IP range, service tag, or supported allow-listing mechanism currently exists.

Recommendation:
Consequently, there is no supported way today to use this integration with a strict GitHub organization IP allow list enabled, and the only functional approach—implicitly expected by Microsoft—is to disable the IP allow list and instead rely on GitHub App permissions, branch protection, CODEOWNERS, required reviews, and audit logging for security controls.