MS Teams Notification Service Source IP Addresses

Devadas Patil 0 Reputation points
2023-03-22T23:34:19.9166667+00:00

Hello,

We would like to set up a Firewall for an MS Teams Notification Web hook. The intent is to allow packets from MS Teams and reject other sources.

  1. Do you support a Virtual IP Address that we could use as source IP address for traffic originating from MS Teams Notification Service that sends call record CREATED events when MS Teams meetings conclude? If not, do you publish known static IP addresses I could use. I did find https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#skype-for-business-online-and-microsoft-teams but I am not sure which one to use for call record CREATED event use case noted above, and whether they are Virtual IP Addresses.
  2. Is there a better way (domain name filters etc ?) to implement a firewall at Application Layer or Network Layer from your experience in supporting other MS Teams customers?

Thanks,

Devadas

Microsoft Teams
Microsoft Teams
A Microsoft customizable chat-based workspace.
9,974 questions
Microsoft Teams Development
Microsoft Teams Development
Microsoft Teams: A Microsoft customizable chat-based workspace.Development: The process of researching, productizing, and refining new or existing technologies.
3,206 questions
{count} votes

1 answer

Sort by: Most helpful
  1. SokiGuo-MSFT 26,766 Reputation points Microsoft Vendor
    2023-03-24T07:27:43.5733333+00:00

    Hi @Devadas Patil

    Kindly note that Microsoft Q&A forum mainly focus on Teams general usage questions, since your question is about Teams development, the following is for reference only:


    An example script of the Microsoft Teams Firewall PowerShell script is available in the official documentation:

    Sample script - Microsoft Teams firewall PowerShell script.

    <#
    .SYNOPSIS
       Creates firewall rules for Teams.
    .DESCRIPTION
       (c) Microsoft Corporation 2018. All rights reserved. Script provided as-is without any warranty of any kind. Use it freely at your own risks.
       Must be run with elevated permissions. Can be run as a GPO Computer Startup script, or as a Scheduled Task with elevated permissions.
       The script will create a new inbound firewall rule for each user folder found in c:\users.
       Requires PowerShell 3.0.
    #>
    
    #Requires -Version 3
    
    $users = Get-ChildItem (Join-Path -Path $env:SystemDrive -ChildPath 'Users') -Exclude 'Public', 'ADMINI~*'
    if ($null -ne $users) {
        foreach ($user in $users) {
            $progPath = Join-Path -Path $user.FullName -ChildPath "AppData\Local\Microsoft\Teams\Current\Teams.exe"
            if (Test-Path $progPath) {
                if (-not (Get-NetFirewallApplicationFilter -Program $progPath -ErrorAction SilentlyContinue)) {
                    $ruleName = "Teams.exe for user $($user.Name)"
                    "UDP", "TCP" | ForEach-Object { New-NetFirewallRule -DisplayName $ruleName -Direction Inbound -Profile Domain -Program $progPath -Action Allow -Protocol $_ }
                    Clear-Variable ruleName
                }
            }
            Clear-Variable progPath
        }
    }
    

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.