Azure SSO - Minimum firewall rules required?

Jordan 1 Reputation point
2021-03-09T16:23:43.507+00:00

Hello,

I have an isolated network with no internet access that presently authenticates to resources they need via AD FS. We're in the process of migrating all of our SSO relationships to Azure AD, and so I need to provide the minimum level of internet access required for this network to reach Azure's SAML authentication services in order to migrate.

I'm able to permit this access via URLs or IP ranges, but just can't figure out what they should be. All of the documentation I've managed to find lists all of the URLs and IPs required for full O365/Azure access, but I haven't found any that speak to just the SAML authentication services.

In packet captures I can see that the following are used:

  • login.microsoftonline.com
  • aadcdn.msauthimages.net
  • login.live.com

I'd rather not gamble that Microsoft won't add any new domains to that list though, and would prefer to make this exception based on official documentation, if available.

Does anyone know if such a list of IPs/URLs exists?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,864 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.