Office 365 U.S. Government GCC High endpoints
Applies To: Office 365 Admin
Office 365 requires connectivity to the Internet. The endpoints below should be reachable for customers using Office 365 U.S. Government GCC High plans only.
Office 365 endpoints: Worldwide (including GCC) | Office 365 operated by 21 Vianet | Office 365 U.S. Government DoD | Office 365 U.S. Government GCC High
| Notes | Download |
|---|---|
Last updated: 08/29/2023 -  Change Log subscription |
Download: the full list in JSON format |
Start with Managing Office 365 endpoints to understand our recommendations for managing network connectivity using this data. Endpoints data is updated as needed at the beginning of each month with new IP Addresses and URLs published 30 days in advance of being active. This lets customers who don't yet have automated updates to complete their processes before new connectivity is required. Endpoints may also be updated during the month if needed to address support escalations, security incidents, or other immediate operational requirements. The data shown on this page below is all generated from the REST-based web services. If you're using a script or a network device to access this data, you should go to the Web service directly.
Endpoint data below lists requirements for connectivity from a user’s machine to Office 365. It does not include network connections from Microsoft into a customer network, sometimes called hybrid or inbound network connections.
The endpoints are grouped into four service areas. The first three service areas can be independently selected for connectivity. The fourth service area is a common dependency (called Microsoft 365 Common and Office) and must always have network connectivity.
Data columns shown are:
ID: The ID number of the row, also known as an endpoint set. This ID is the same as is returned by the web service for the endpoint set.
Category: Shows whether the endpoint set is categorized as “Optimize”, “Allow”, or “Default”. You can read about these categories and guidance for management of them at https://aka.ms/pnc. This column also lists which endpoint sets are required to have network connectivity. For endpoint sets which are not required to have network connectivity, we provide notes in this field to indicate what functionality would be missing if the endpoint set is blocked. If you're excluding an entire service area, the endpoint sets listed as required don't require connectivity.
ER: This is Yes if the endpoint set is supported over Azure ExpressRoute with Office 365 route prefixes. The BGP community that includes the route prefixes shown aligns with the service area listed. When ER is No, this means that ExpressRoute is not supported for this endpoint set. However, it should not be assumed that no routes are advertised for an endpoint set where ER is No. If you plan to use Azure AD Connect, read the special considerations section to ensure you have the appropriate Azure AD Connect configuration.
Addresses: Lists the FQDNs or wildcard domain names and IP Address ranges for the endpoint set. Note that an IP Address range is in CIDR format and may include many individual IP Addresses in the specified network.
Ports: Lists the TCP or UDP ports that are combined with the Addresses to form the network endpoint. You may notice some duplication in IP Address ranges where there are different ports listed.
Exchange Online
| ID | Category | ER | Addresses | Ports |
|---|---|---|---|---|
| 1 | Optimize Required |
Yes | outlook.office365.us20.35.208.0/20, 20.35.240.0/21, 40.66.16.0/21, 2001:489a:2200:100::/56, 2001:489a:2200:400::/56, 2001:489a:2200:600::/56 |
TCP: 443, 80 |
| 4 | Default Required |
Yes | attachments.office365-net.us, autodiscover.<tenant>.mail.onmicrosoft.com, autodiscover.<tenant>.mail.onmicrosoft.us, autodiscover.<tenant>.onmicrosoft.com, autodiscover.<tenant>.onmicrosoft.us, autodiscover-s.office365.us |
TCP: 443, 80 |
| 5 | Default Required |
Yes | outlook.office365.us |
TCP: 143, 25, 587, 993, 995 |
| 6 | Allow Required |
Yes | *.manage.office365.us, *.protection.office365.us, *.scc.office365.us, manage.office365.us, scc.office365.us23.103.191.0/24, 23.103.199.128/25, 23.103.208.0/22, 52.227.182.149/32, 52.238.74.212/32, 52.244.65.13/32, 2001:489a:2202:4::/62, 2001:489a:2202:c::/62, 2001:489a:2202:2000::/63 |
TCP: 25, 443 |
SharePoint Online and OneDrive for Business
| ID | Category | ER | Addresses | Ports |
|---|---|---|---|---|
| 9 | Optimize Required |
Yes | *.sharepoint.us20.34.8.0/22, 104.212.50.0/23, 2001:489a:2204:2::/63, 2001:489a:2204:800::/54 |
TCP: 443, 80 |
| 10 | Default Required |
No | *.wns.windows.com, admin.onedrive.us, g.live.com, oneclient.sfx.ms |
TCP: 443, 80 |
| 20 | Default Required |
No | *.svc.ms, az741266.vo.msecnd.net, spoprod-a.akamaihd.net, static.sharepointonline.com |
TCP: 443, 80 |
Skype for Business Online and Microsoft Teams
| ID | Category | ER | Addresses | Ports |
|---|---|---|---|---|
| 7 | Optimize Required |
Yes | 52.127.88.0/21, 104.212.44.0/22, 195.134.228.0/22 |
UDP: 3478, 3479, 3480, 3481 |
| 21 | Default Required |
No | msteamsstatics.blob.core.usgovcloudapi.net, statics.teams.microsoft.com, teamsapuiwebcontent.blob.core.usgovcloudapi.net |
TCP: 443 |
| 31 | Allow Required |
Yes | *.gov.skypeforbusiness.us, *.gov.teams.microsoft.us, gov.teams.microsoft.us52.127.88.0/21, 104.212.44.0/22, 195.134.228.0/22 |
TCP: 443, 80 |
Microsoft 365 Common and Office Online
| ID | Category | ER | Addresses | Ports |
|---|---|---|---|---|
| 11 | Allow Required |
Yes | *.gov.online.office365.us52.127.37.0/24, 52.127.82.0/23, 2001:489a:2208::/49 |
TCP: 443 |
| 13 | Allow Required |
Yes | *.auth.microsoft.us, *.gov.us.microsoftonline.com, graph.microsoft.us, graph.microsoftazure.us, login.microsoftonline.us20.140.232.0/23, 52.126.194.0/23, 2001:489a:3500::/50 |
TCP: 443 |
| 14 | Default Required |
No | *.msauth.net, *.msauthimages.us, *.msftauth.net, *.msftauthimages.us, clientconfig.microsoftonline-p.net, graph.windows.net, login.microsoftonline.com, login.microsoftonline-p.com, login.windows.net, loginex.microsoftonline.com, login-us.microsoftonline.com, mscrl.microsoft.com, nexus.microsoftonline-p.com, secure.aadcdn.microsoftonline-p.com |
TCP: 443 |
| 15 | Default Required |
No | officehome.msocdn.us, prod.msocdn.us |
TCP: 443, 80 |
| 16 | Allow Required |
Yes | portal.office365.us, www.office365.us52.227.170.242/32 |
TCP: 443, 80 |
| 17 | Allow Required |
Yes | *.osi.office365.us, gcchigh.loki.office365.us, tasks.office365.us52.127.240.0/20, 2001:489a:2206::/48 |
TCP: 443 |
| 18 | Default Required |
No | *.office.delivery.microsoft.com, activation.sls.microsoft.com, crl.microsoft.com, go.microsoft.com, insertmedia.bing.office.net, mrodevicemgr.officeapps.live.com, ocsa.officeapps.live.com, ocsredir.officeapps.live.com, ocws.officeapps.live.com, office15client.microsoft.com, officecdn.microsoft.com, officecdn.microsoft.com.edgesuite.net, officepreviewredir.microsoft.com, officeredir.microsoft.com, ols.officeapps.live.com, r.office.microsoft.com |
TCP: 443, 80 |
| 19 | Default Required |
No | cdn.odc.officeapps.live.com, odc.officeapps.live.com, officeclient.microsoft.com |
TCP: 443, 80 |
| 23 | Default Required |
No | *.office365.us |
TCP: 443, 80 |
| 24 | Default Required |
No | lpcres.delve.office.com |
TCP: 443 |
| 25 | Default Required |
No | *.cdn.office.net |
TCP: 443 |
| 26 | Allow Required |
Yes | *.compliance.microsoft.us, *.security.microsoft.us, compliance.microsoft.us, scc.office365.us, security.microsoft.us52.127.240.0/20, 52.227.182.149/32, 52.244.65.13/32 |
TCP: 443, 80 |
| 28 | Default Required |
No | activity.windows.com, gcc-high.activity.windows.us |
TCP: 443 |
| 29 | Default Required |
No | gcch-mtis.cortana.ai |
TCP: 443 |
| 30 | Default Required |
No | *.aadrm.us, *.informationprotection.azure.us |
TCP: 443 |
| 32 | Default Required |
No | tb.events.data.microsoft.com, tb.pipe.aria.microsoft.com |
TCP: 443, 80 |
Notes for this table:
The Security and Compliance Center (SCC) provides support for Azure ExpressRoute for Office 365. The same applies for many features exposed through the SCC such as Reporting, Auditing, eDiscovery (Premium), Unified DLP, and Data Governance. Two specific features, PST Import and eDiscovery Export, currently don't support Azure ExpressRoute with only Office 365 route filters due to their dependency on Azure Blob Storage. To consume those features, you need separate connectivity to Azure Blob Storage using any supportable Azure connectivity options, which include Internet connectivity or Azure ExpressRoute with Azure Public route filters. You have to evaluate establishing such connectivity for both of those features. The Office 365 Information Protection team is aware of this limitation and is actively working to bring support for Azure ExpressRoute for Office 365 as limited to Office 365 route filters for both of those features.
There are additional optional endpoints for Microsoft 365 Apps for enterprise that are not listed and are not required for users to launch Microsoft 365 Apps for enterprise applications and edit documents. Optional endpoints are hosted in Microsoft data centers and don't process, transmit, or store customer data. We recommend that user connections to these endpoints be directed to the default Internet egress perimeter.
Feedback
Submit and view feedback for