GCC High Endpoints - Intune, Azure, 365, Defender

Phil M 60 Reputation points

I have an environment with a very restrictive Azure Firewall ruleset in place. The idea is to deny by default.

This environment is comprised of some Azure VDIs, the Azure Firewall, Azure, Microsoft 365, Intune, and Defender. All is GCC High.

With the firewall rules enabled, the devices will not properly check into Intune, among other issues.

This seems to be despite the fact that we believe we found the proper article for Intune GCC High Endpoints.

Two questions:

  1. For the firewall rules in a deny-by-default setup, do we need to follow 5 separate articles (Azure, O\M365, Intune, Defender, etc.)
  2. Is it preferred to use the articles, or the .JSON files? Do they contain the same IPs and FQDNs?

Essentially, where is the definitive list(s) of how\what to open for proper functioning of all these related services?

I think I'm finding the wrong or incomplete articles.


Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
3,391 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,653 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,709 questions
0 comments No comments
{count} votes

Accepted answer
  1. Crystal-MSFT 40,706 Reputation points Microsoft Vendor

    @Phil M, Thanks for posting in Q&A. Based as I know, the services you mentioned (Azure, Microsoft 365, Intune, Defender, etc.) will have their own required endpoints that need to be accessible for proper functioning, as specified by Microsoft. Therefore, you will need to review each service's documentation to determine the required endpoints to add to your Azure Firewall ruleset. In a deny-by-default setup, it is critical to follow these articles to make sure necessary traffic is not being blocked.

    For Intune, the following article lists IP addresses and port settings needed for proxy settings in your Microsoft Intune deployments. Please ensure they will not be blocked by your firewall rule:


    Hope the above information can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Phil M 60 Reputation points

    Thank you. I must find the GCC-High articles, which should not be a problem.