When connecting to an Azure SQL DB endpoint (somename.database.windows.net), your IP must be listed in that endpoint’s (server’s) firewall:
If you’re connecting to your Azure SQL DB from SQL Server Management Studio 2016 and your IP address is not in the list, SSMS will offer to add it:
You’ll need to sign in with a Microsoft Account or Azure AD account that has permissions to modify those firewall settings. That account’s default directory must be the directory that’s associated with the subscription where the Azure SQL DB server is created though. If it isn’t, you’ll get this error message:
An error occurred while creating a new firewall rule (HTTP Status Code 401)) (ConnectionDlg)
Which as you can see isn’t exactly telling you what the problem is.
How can you change your default directory? Apparently, that’s a feature that’s been requested for more than 2 years: https://feedback.azure.com/forums/223579-azure-portal/suggestions/6239996-choose-default-directory
Sven Aelterman 
how can I restrict to allow Ip addition to firewall rule from SSMS
Anuj, the ability to add or modify firewall rules for the logical SQL server depends on the user’s role assignment in Azure. Per the documentation, one needs to be a subscription owner or contributor to modify rules. See https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure#create-and-manage-ip-firewall-rules