Which virtual network service tag covers login.microsoftonline.com?

Question

Which virtual network service tag covers login.microsoftonline.com?

Waldemar Litke 0

I'd like to login via the Microsoft website "login.microsoftonline.com" on a virtual machine hosted in Azure.

By default all inbound and outbound traffic is blocked via network security group rules. I read somewhere that adding an outgoing rule with destination service tag "AzureActiveDirectory" would allow the usage of the mentioned website but unfortunately it doesn't cover all consumed domains. The browser developer tools show during the login that domains like "aadcdn.msftauth.net" and "aadcdn.msauth.net" are used as well but they are still blocked.

Does anyone has an idea which destinationservice tag(s) (overview of all tags: https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview) must be allowed being able to use the mentioned website? For cost reasons there's currently no "real" firewall in place wherefore I need to solve this issue with network security group rules based on IP addresses instead of using domain names.

Last remark: The network connection works fine in general. If I create a rule with destination service tag "Internet" everything works as expected but of course this is not an option. Only particular websites should be allowed.

Update 1: I forgot to mention that the destination service tag "AzureCloud" was also already allowed.

2 answers

Your answer

Answer 1

Hello Waldemar Litke,

It seems AzureActiveDirectory, AzureActiveDirectory.ServiceEndpoint and AzureCloud.

Let me explain you how I concluded this.

I resolved login.microsoftonline.com:

# nslookup login.microsoftonline.com
Server:         168.63.129.16
Address:        168.63.129.16#53

Non-authoritative answer:
login.microsoftonline.com       canonical name = login.mso.msidentity.com.
login.mso.msidentity.com        canonical name = ak.privatelink.msidentity.com.
ak.privatelink.msidentity.com   canonical name = www.tm.ak.prd.aadg.trafficmanager.net.
Name:   www.tm.ak.prd.aadg.trafficmanager.net
Address: 20.190.159.75
Name:   www.tm.ak.prd.aadg.trafficmanager.net
Address: 40.126.31.67
Name:   www.tm.ak.prd.aadg.trafficmanager.net
Address: 20.190.159.71
Name:   www.tm.ak.prd.aadg.trafficmanager.net
Address: 20.190.159.0
Name:   www.tm.ak.prd.aadg.trafficmanager.net
Address: 40.126.31.71
Name:   www.tm.ak.prd.aadg.trafficmanager.net
Address: 20.190.159.4
Name:   www.tm.ak.prd.aadg.trafficmanager.net
Address: 20.190.159.73
Name:   www.tm.ak.prd.aadg.trafficmanager.net
Address: 40.126.31.73
Name:   www.tm.ak.prd.aadg.trafficmanager.net
Address: 2603:1027:1:158::8
Name:   www.tm.ak.prd.aadg.trafficmanager.net
Address: 2603:1027:1:158::a
Name:   www.tm.ak.prd.aadg.trafficmanager.net
Address: 2603:1026:3000:148::7
Name:   www.tm.ak.prd.aadg.trafficmanager.net
Address: 2603:1026:3000:148::10
Name:   www.tm.ak.prd.aadg.trafficmanager.net
Address: 2603:1026:3000:150::5
Name:   www.tm.ak.prd.aadg.trafficmanager.net
Address: 2603:1026:3000:150::8
Name:   www.tm.ak.prd.aadg.trafficmanager.net
Address: 2603:1026:3000:150::a
Name:   www.tm.ak.prd.aadg.trafficmanager.net
Address: 2603:1027:1:158::2

I searched in https://www.microsoft.com/en-us/download/details.aspx?id=56519 the ranges that some of the above IPs are part of and the associated service tag.

Please test and let me know the outcome.

Hopefully this is what you are looking for! If you have additional questions, please let us know in the comments.

If this has been helpful, please take a moment to accept answers as this helps increase visibility of this question for other members of the Microsoft Q&A community. Thank you for helping to improve Microsoft Q&A!

Waldemar Litke 0 Reputation points

2023-06-22T09:49:27.51+00:00

<deleted>
Waldemar Litke 0 Reputation points

2023-06-22T09:56:19.9233333+00:00

Hey @Andrei Barbu, thank you very much for your quick and very comprehensive reply. I forgot to mention that the destination service tag "AzureCloud" is also already in place. Sorry for that gap.

Since service tag "AzureActiveDirectory" is already in use the only missing service tag is "AzureActiveDirectory.ServiceEndpoint". Unfortunately this one doesn't seem to exist. At least there's no option to chose in the Azure portal and the tag is also not mentioned in the official overview service tag overview https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview.

In general the usage of the "nslookup" command in combination with the website https://www.microsoft.com/en-us/download/details.aspx?id=56519 is a great approach to find suitable service tags. Thanks for pointing that out!

Unfortunately in this particular case further connections to further domains are establed under the hood.
Andrei Barbu 2,596 Reputation points Microsoft Employee

2023-06-22T10:04:59.4966667+00:00

I can see AzureActiveDirectory.ServiceEndpoint cannot be chosen, not sure if it's included in AzureActiveDirectory and that's why. Maybe someone else will provide more clarifications and if not, opening a support request may be helpful.

Answer 2

Waldemar Litke 0

With the help of Wireshark I was able to find out which IP addresses are consumed and with the service tag overview (https://www.microsoft.com/en-us/download/details.aspx?id=56519) I could find the needed service tags to accomplish a login via "login.microsoftonline.com".

Following outgoing rules work for my case:

AzureCloud - Tcp 443
AzureActiveDirectory - Tcp 443
AzureFrontDoor.Frontend - Tcp 443

Remark: If company infrastructure is involved to perform authentication, those resources must be allowed as well.

GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-06-26T07:01:23.3+00:00

@Waldemar Litke , I see that you were able to find the relevant service tags for your requirement. Thank you for sharing the solution and your continued contribution on Q&A.

Share via

Which virtual network service tag covers login.microsoftonline.com?

2 answers

Your answer