If you've enabled IP address restriction to restrict public IP addresses from accessing your ServiceNow instance, this could potentially block access for the Azure AD user provisioning service, which operates from a specific set of IP addresses. Here are some recommendations on how you can allow Azure AD user provisioning while still restricting other IP addresses:

1. Identify the IP addresses used by Azure AD user provisioning service: Microsoft publishes a list of IP addresses used by Azure services, including Azure AD. You can use this list to identify the IP addresses that need to be allowed to access your ServiceNow instance. The list is updated frequently, so make sure to check it regularly to ensure that you have the latest information.

2. Create an allow rule for the Azure AD user provisioning IP addresses: In ServiceNow, go to "System Security > IP Address Filters" and create a new allow rule for the IP addresses used by Azure AD user provisioning. Make sure to specify the correct IP addresses and subnet masks in the rule.

3. Create a deny rule for all other IP addresses: In ServiceNow, create a deny rule to block all other IP addresses from accessing your instance. This will ensure that only the specified Azure AD IP addresses are allowed.

4. Test the configuration: After you've created the allow and deny rules, test the configuration to ensure that Azure AD user provisioning is working as expected and other IP addresses are blocked.

It's important to note that allowing access from a specific set of IP addresses may not be enough to secure your ServiceNow instance. You should also consider implementing other security measures, such as two-factor authentication and role-based access control, to further protect your instance from unauthorized access.