Which virtual network service tag covers login.microsoftonline.com?

Waldemar Litke 0 Reputation points
2023-06-22T08:50:41.4133333+00:00

I'd like to login via the Microsoft website "login.microsoftonline.com" on a virtual machine hosted in Azure.

By default all inbound and outbound traffic is blocked via network security group rules. I read somewhere that adding an outgoing rule with destination service tag "AzureActiveDirectory" would allow the usage of the mentioned website but unfortunately it doesn't cover all consumed domains. The browser developer tools show during the login that domains like "aadcdn.msftauth.net" and "aadcdn.msauth.net" are used as well but they are still blocked.

Does anyone has an idea which destinationservice tag(s) (overview of all tags: https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview) must be allowed being able to use the mentioned website? For cost reasons there's currently no "real" firewall in place wherefore I need to solve this issue with network security group rules based on IP addresses instead of using domain names.

Last remark: The network connection works fine in general. If I create a rule with destination service tag "Internet" everything works as expected but of course this is not an option. Only particular websites should be allowed.

Update 1: I forgot to mention that the destination service tag "AzureCloud" was also already allowed.

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,779 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Andrei Barbu 2,596 Reputation points Microsoft Employee
    2023-06-22T09:16:05.7866667+00:00

    Hello Waldemar Litke,

    It seems AzureActiveDirectory, AzureActiveDirectory.ServiceEndpoint and AzureCloud.

    Let me explain you how I concluded this.

    I resolved login.microsoftonline.com:

    # nslookup login.microsoftonline.com
    Server:         168.63.129.16
    Address:        168.63.129.16#53
    
    Non-authoritative answer:
    login.microsoftonline.com       canonical name = login.mso.msidentity.com.
    login.mso.msidentity.com        canonical name = ak.privatelink.msidentity.com.
    ak.privatelink.msidentity.com   canonical name = www.tm.ak.prd.aadg.trafficmanager.net.
    Name:   www.tm.ak.prd.aadg.trafficmanager.net
    Address: 20.190.159.75
    Name:   www.tm.ak.prd.aadg.trafficmanager.net
    Address: 40.126.31.67
    Name:   www.tm.ak.prd.aadg.trafficmanager.net
    Address: 20.190.159.71
    Name:   www.tm.ak.prd.aadg.trafficmanager.net
    Address: 20.190.159.0
    Name:   www.tm.ak.prd.aadg.trafficmanager.net
    Address: 40.126.31.71
    Name:   www.tm.ak.prd.aadg.trafficmanager.net
    Address: 20.190.159.4
    Name:   www.tm.ak.prd.aadg.trafficmanager.net
    Address: 20.190.159.73
    Name:   www.tm.ak.prd.aadg.trafficmanager.net
    Address: 40.126.31.73
    Name:   www.tm.ak.prd.aadg.trafficmanager.net
    Address: 2603:1027:1:158::8
    Name:   www.tm.ak.prd.aadg.trafficmanager.net
    Address: 2603:1027:1:158::a
    Name:   www.tm.ak.prd.aadg.trafficmanager.net
    Address: 2603:1026:3000:148::7
    Name:   www.tm.ak.prd.aadg.trafficmanager.net
    Address: 2603:1026:3000:148::10
    Name:   www.tm.ak.prd.aadg.trafficmanager.net
    Address: 2603:1026:3000:150::5
    Name:   www.tm.ak.prd.aadg.trafficmanager.net
    Address: 2603:1026:3000:150::8
    Name:   www.tm.ak.prd.aadg.trafficmanager.net
    Address: 2603:1026:3000:150::a
    Name:   www.tm.ak.prd.aadg.trafficmanager.net
    Address: 2603:1027:1:158::2
    

    I searched in https://www.microsoft.com/en-us/download/details.aspx?id=56519 the ranges that some of the above IPs are part of and the associated service tag.

    Please test and let me know the outcome.

    Hopefully this is what you are looking for! If you have additional questions, please let us know in the comments.

    If this has been helpful, please take a moment to accept answers as this helps increase visibility of this question for other members of the Microsoft Q&A community. Thank you for helping to improve Microsoft Q&A!


  2. Waldemar Litke 0 Reputation points
    2023-06-23T10:09:07.2766667+00:00

    With the help of Wireshark I was able to find out which IP addresses are consumed and with the service tag overview (https://www.microsoft.com/en-us/download/details.aspx?id=56519) I could find the needed service tags to accomplish a login via "login.microsoftonline.com".

    Following outgoing rules work for my case:

    • AzureCloud - Tcp 443
    • AzureActiveDirectory - Tcp 443
    • AzureFrontDoor.Frontend - Tcp 443

    Remark: If company infrastructure is involved to perform authentication, those resources must be allowed as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.