Restrict user access to Acrobat Sign using IP address ranges - New

Last updated on Jan 7, 2026

Alert

This article contains prerelease information. Release dates, features, and other information are subject to change without notice.

Control who can access Acrobat Sign by allowing only trusted IP address ranges for account users and integrations.

Allowed IP Ranges let administrators limit access to Adobe Acrobat Sign to trusted networks only. By allowing requests from known IP addresses and denying all others, you can reduce unauthorized access and enforce consistent security policies across your organization. This control applies before user authentication and helps protect regulated environments and critical roles. This setting does not affect the recipients of the agreement.

Why use IP allowlists

Allowed IP Ranges act as a deny-by-default gate in front of Acrobat Sign. A user or integration can sign in to the web application or call the API only when the request originates from an IP address included in the allowlist.

Reduce unauthorized access by limiting logins to known corporate networks.
Enforce a consistent access policy across all users in the account.
Pair with SSO and MFA for layered security.

Before you start

Work with your network team to collect the exact IP ranges you need. Use CIDR notation (for example, 203.0.113.0/24).
Plan to add administrator networks first so you don't lock yourself out.
Consider remote, emergency, or partner access and include those ranges as required.
Understand if you intend to use third-party applications (Salesforce, etc.) or the Acrobat Sign mobile applications (from a sender perspective).

Configuration

Availability:

Acrobat Standard and Acrobat Pro: Not Supported
Acrobat Sign Solutions: Supported
Acrobat Sign for Government: Not Supported

Access scope

Web UI: Requests from IPs outside the allowlist are denied with: “Your account cannot be accessed from this computer. Please contact your support staff.”
API: Allowed only when the “Allow these IP addresses to access the system via API” setting is on; if it’s off, API calls are denied—even from listed IPs.
Certified Applications: Major integrations (for example, Microsoft, Salesforce) are allowed by default.
- The Acrobat Sign mobile applications fall within the scope of Certified Applications and are impacted by the controls that allow or deny access to the Acrobat Sign service.
  Note that only connecting to Acrobat Sign as a user is impacted. Recipients are not.

Configuration scope:

Allowed IP Ranges can be configured at the account and group level.
- User access is defined by their primary group when group-level settings are applied.
Integrations (Microsoft Dynamics, Salesforce, and the like) are allowed by default.

The Security Settings page highlighting the "Allowed IP Ranges" set of controls.

There are three settings that determine whether IP restrictions apply to browser access, API requests, and API-based clients such as mobile applications and integrations.

Only allow access to the system from IP addresses that are listed below - Enables IP address restrictions and unlocks the allowlist configuration.
- If no IP ranges are listed when the page configuration is saved, this option is automatically cleared, and the feature is disabled.
- If this option is not enabled, IP address restrictions are not enforced, and any IP address can attempt to access the account through user authentication.
Only allow these IP addresses to access the system via API - Explicitly grants API access from the listed IP ranges.
- This option requires IP address restrictions to be enabled.
- If this option is not enabled, API requests are denied, even when the request originates from an allowed IP address.
Always allow API access from Certified Partner Application IP addresses - Allows certified applications to bypass API IP restrictions.
- This option requires API access to be enabled.
- When enabled, IP restrictions are not enforced for certified applications, including Acrobat Sign mobile applications.
- Certified Partner Applications include Acrobat Sign-developed integrations such as Salesforce and SharePoint.

To apply IP restrictions consistently across browser access, mobile applications, and integrations, API access must be enabled, and certified application bypass must not be allowed.

How to configure an allowed IP range

Coordinate with your network team to obtain the proper CIDR IP ranges before attempting to configure the allow list.
Be sure to allow the IP range you are currently working from first.

Log in to the Acrobat Sign portal as an administrator.
Navigate to Security Settings > Allowed IP Ranges.
Enable the Only allow access to the system from IP addresses that are listed below option by checking the box.
Select Add (+).
Enter the IP range using CIDR notation.
Save the entry.
Repeat these steps for each additional IP range.
Save the page configuration when finished.

All configured IP ranges are listed under the control set in a scrolling list. Up to two CIDR notations are exposed at once unless you select a new pagination option through the More options icon.

Allow IP Address controls highlighting the exposed two CIDR notations.

Manage the allowed IP ranges:

To search for a specific CIDR notation in the list of configured ranges, type the CIDR notation into the Search field.
As you type, the exposed IP ranges are filtered to show only ranges that match the string as you type it in.

The Allowed IP Ranges controls with the search field filled, and the resultant IP ranges displayed.

To edit a CIDR notation:

Search and find the CIDR notation.
Select the notation to be edited to expose the available actions above the notation list.
Select the Edit action.
The Edit interface opens, with the current CIDR notation highlighted.
Enter the new CIDR notation.
Save the notation when done.
There is no challenge to saving the edit.

To delete a CIDR notation:

Search and find the CIDR notation.
Select the notation to be edited to expose the available actions above the notation list.
Select the Delete action.

Alert

There is no challenge to deleting the notation.

Double-check that you are deleting the correct notation, and be sure you aren't deleting the notation allowing you to connect to the Acrobat Sign service.
It's entirely possible to configure the application in such a way as to deny all access from external sources.

Best practices

Treat the allowlist as a deny-by-default policy: only known ranges should be added.
Include contingency ranges for critical roles, if permitted by policy.
If implementing the change after deployment to end-users, communicate it in advance so they know how to request access if they are blocked.
If you restrict API access, review whether certified applications should bypass IP restrictions based on your usage and security requirements.

Manage and maintain

Review and update ranges when networks change (new offices, VPN changes, ISPs, or cloud egress).
Keep a documented source of truth for approved ranges.
Test with a small set of users before rolling out to a broader audience.
If users are blocked, verify their current public IP and add the correct range, or temporarily turn off the control and re-enable it after correction.

Impact and limitations

Restricting access by IP address can limit support for remote users unless their networks or VPN egress ranges are included.
This control affects access to the web application and the API.
Integrations are allowed by default unless explicitly configured otherwise through Acrobat Sign support.
It is possible to configure the account in a way that blocks all external access. Plan and test carefully.

Get help faster and easier

New user?