Administrative access to the Netskope tenant is restricted by the Allowlist, meaning administrators can only access the tenant if they are connecting from an IP address listed in the Allowlist. The Allowlist not only controls administrative access, but we have also noted that when attempts are being made to establish REST API connections or calls to the tenant these calls will fail if the IP address it is originating from is not on the Allowlist.

There are instances where we want API calls from IP address ranges but at the same time we do not want administrative access to the tenant being granted to these IP addresses.

Case in point. We are working with a Netskope SME to implement the Netskope Codeless Connector which sits in Microsoft Sentinel. The connector ingests Netskope logs directly into Sentinel via REST API calls. Sentinel does not have its own IP address range so it uses the Azure Public  IP Addresses to make those API calls. These calls will fail because the IP address which the calls will originate from is not on the Allowlist, and we do not necessarily want to add those IP addresses to the Allowlist as well hence the need for a separate  mechanism/process to provide access.