Network configuration for Microsoft Managed Desktop

Proxy configuration

Microsoft Managed Desktop is a cloud-managed service. There's a set of endpoints the Microsoft Managed Desktop services needs to be able to reach. This section lists the endpoints that need to be allowed for the various aspects of the Microsoft Managed Desktop service.

Customers can optimize their network by sending all trusted Microsoft 365 network requests directly through their firewall or proxy. It bypasses authentication, and all additional packet-level inspection or processing. This process reduces latency and your perimeter capacity requirements.

Also, to optimize performance for Microsoft Managed Desktop cloud-based services, these endpoints need special handling by customer client browsers, and the devices in their edge network. These devices include:

  • Firewalls
  • SSL Break and Inspect
  • Packet inspection devices
  • Data loss prevention systems

Proxy requirement

The proxy or firewall must support TLS 1.2. Otherwise, you might have to disable protocol detection.

Allowed endpoints that are necessary for Microsoft Managed Desktop

Microsoft Managed Desktop uses the Azure portal to host its web console. The following URLs must be on the allowed list of your proxy and firewall so that Microsoft Managed Desktop devices can communicate with Microsoft Services.

The Microsoft Managed Desktop URL is used for anything our service runs on the customer API. You must ensure this URL is always accessible on your corporate network.

Microsoft service URLs required on allowlist
Microsoft Managed Desktop mmdcustomer.microsoft.com
logcollection.mmd.microsoft.com
mmdls.microsoft.com
support.mmd.microsoft.com
Get Help *.support.services.microsoft.com
inprod.support.services.microsoft.com
supportchannels.services.microsoft.com
graph.windows.net
login.windows.net
prod-mwaas-services-customerapi.azurewebsites.net
concierge.live.com
Quick Assist remoteassistance.support.services.microsoft.com
relay.support.services.microsoft.com
channelwebsdks.azureedge.net
web.vortex.data.microsoft.com
gateway.channelservices.microsoft.com
*.lync.com
Microsoft Support and Recovery Assistant *.apibasic.diagnostics.office.com
*.api.diagnostics.office.com

Allowed endpoints used by other Microsoft products

There are URLs from several Microsoft products that must be in the allowed list so that Microsoft Managed Desktop devices can communicate with those Microsoft Services. Use the links to see the complete list for each product.

Microsoft service Documentation
Windows 10 Enterprise including Windows Update for Business Manage connection endpoints for Windows 10, version 1803

Manage connection endpoints for Windows 10, version 1809

Manage connection endpoints for Windows 10, version 1903

Manage connection endpoints for Windows 10, version 2004
Delivery Optimization Configure Delivery Optimization for Windows 10 updates
Microsoft 365 Microsoft 365 URL and IP address ranges
Azure Active Directory Hybrid identity required ports and protocols

Active Directory and Active Directory Domain Services Port Requirements
Microsoft Intune Intune network configuration requirements

Network endpoints for Microsoft Intune
Microsoft 365 Defender for Endpoint Microsoft 365 Defender for Endpoint requirements
Windows Autopilot Windows Autopilot Networking Requirements
Microsoft service URLs required on allowlist Documentation source
Windows Update for Business (WUfB) update.microsoft.com
*.update.microsoft.com
download.windowsupdate.com
*.download.windowsupdate.com
download.microsoft.com
*.download.microsoft.com
windowsupdate.com
*.windowsupdate.com
ntservicepack.microsoft.com
wustat.windows.com
login.live.com
mp.microsoft.com
*.mp.microsoft.com
Windows Update for Business firewall and proxy requirements
Delivery Optimization *.do.dsp.mp.microsoft.com
*.dl.delivery.mp.microsoft.com
*.emdl.ws.microsoft.com
*.download.windowsupdate.com
*.windowsupdate.com
Windows Update proxy requirements
Microsoft Store for Business login.live.com
account.live.com
clientconfig.passport.net
wustat.windows.com
*.windowsupdate.com
*.wns.windows.com
*.hotmail.com
*.outlook.com
*.microsoft.com
*.msftncsi.com/ncsi.txt
Microsoft Store allowlist
Microsoft 365 *.office365.com
*.office.com
*.office.net
*.live.com
*.portal.cloudappsecurity.com
*.portal.cloudappsecurity.com
*.us.portal.cloudappsecurity.com
*.eu.portal.cloudappsecurity.com
*.us2.portal.cloudappsecurity.com
<tenant>.onmicrosoft.com
account.office.net
agent.office.net
apc.delve.office.com
aus.delve.office.com
can.delve.office.com
delve.office.com
eur.delve.office.com
gbr.delve.office.com
home.office.com
ind.delve.office.com
jpn.delve.office.com
kor.delve.office.com
lam.delve.office.com
nam.delve.office.com
admin.microsoft.com
outlook.office365.com
suite.office.net
webshell.suite.office.com
www.office.com
*.aria.microsoft.com
browser.pipe.aria.microsoft.com
mobile.pipe.aria.microsoft.com
portal.microsoftonline.com
clientlog.admin.microsoft.com
nexus.officeapps.live.com
nexusrules.officeapps.live.com
amp.azure.net
*.o365weve.com
auth.gfx.ms
appsforoffice.microsoft.com
assets.onestore.ms
az826701.vo.msecnd.net
c.microsoft.com
c1.microsoft.com
client.hip.live.com
contentstorage.osi.office.net
dgps.support.microsoft.com
learn.microsoft.com
groupsapi-
rod.outlookgroups.ms
groupsapi2-prod.outlookgroups.ms
groupsapi3-prod.outlookgroups.ms
groupsapi4-prod.outlookgroups.ms
msdn.microsoft.com
platform.linkedin.com
products.office.com
prod.msocdn.com
r1.res.office365.com
r4.res.office365.com
res.delve.office.com
shellprod.msocdn.com
support.content.office.net
support.microsoft.com
support.office.com
technet.microsoft.com
templates.office.com
video.osi.office.net
videocontent.osi.office.net
videoplayercdn.osi.office.net
*.manage.office.com
*.protection.office.com
manage.office.com
Protection.office.com
diagnostics.office.com
Microsoft 365 URL and IP address ranges
Azure Active Directory api.login.microsoftonline.com
api.passwordreset.microsoftonline.com
autologon.microsoftazuread-sso.com
becws.microsoftonline.com
clientconfig.microsoftonline-p.net
companymanager.microsoftonline.com
device.login.microsoftonline.com
hip.microsoftonline-p.net
hipservice.microsoftonline.com
login.microsoft.com
login.microsoftonline.com
logincert.microsoftonline.com
loginex.microsoftonline.com
login-us.microsoftonline.com
login.microsoftonline-p.com
login.windows.net
nexus.microsoftonline-p.com
passwordreset.microsoftonline.com
provisioningapi.microsoftonline.com
stamp2.login.microsoftonline.com
*.msappproxy.net
ccs.login.microsoftonline.com
ccs-sdf.login.microsoftonline.com
accounts.accesscontrol.windows.net
secure.aadcdn.microsoftonline-p.com
*.phonefactor.net
account.activedirectory.windowsazure.com
secure.aadcdn.microsoftonline-p.com
graph.microsoft.com
Hybrid identity required ports and protocols and Active Directory and Active Directory Domain Services Port Requirements
Microsoft Intune login.microsoftonline.com
portal.manage.microsoft.com
m.manage.microsoft.com
sts.manage.microsoft.com
Manage.microsoft.com
i.manage.microsoft.com
r.manage.microsoft.com
a.manage.microsoft.com
p.manage.microsoft.com
EnterpriseEnrollment.manage.microsoft.com
EnterpriseEnrollment-s.manage.microsoft.com
portal.fei.msua01.manage.microsoft.com
m.fei.msua01.manage.microsoft.com
fei.msua01.manage.microsoft.com
portal.fei.msua01.manage.microsoft.com
m.fei.msua01.manage.microsoft.com
fei.msua02.manage.microsoft.com
portal.fei.msua02.manage.microsoft.com
m.fei.msua02.manage.microsoft.com
fei.msua02.manage.microsoft.com
portal.fei.msua02.manage.microsoft.com
m.fei.msua02.manage.microsoft.com
fei.msua04.manage.microsoft.com
portal.fei.msua04.manage.microsoft.com
m.fei.msua04.manage.microsoft.com
fei.msua04.manage.microsoft.com
portal.fei.msua04.manage.microsoft.com
m.fei.msua04.manage.microsoft.com
fei.msua05.manage.microsoft.com
portal.fei.msua05.manage.microsoft.com
m.fei.msua05.manage.microsoft.com
fei.msua05.manage.microsoft.com
portal.fei.msua05.manage.microsoft.com
m.fei.msua05.manage.microsoft.com
fei.amsua0502.manage.microsoft.com
portal.fei.amsua0502.manage.microsoft.com
m.fei.amsua0502.manage.microsoft.com
fei.amsua0502.manage.microsoft.com
portal.fei.amsua0502.manage.microsoft.com
m.fei.amsua0502.manage.microsoft.com
fei.msua06.manage.microsoft.com
portal.fei.msua06.manage.microsoft.com
m.fei.msua06.manage.microsoft.com
fei.msua06.manage.microsoft.com
portal.fei.msua06.manage.microsoft.com
m.fei.msua06.manage.microsoft.com
fei.amsua0602.manage.microsoft.com
portal.fei.amsua0602.manage.microsoft.com
m.fei.amsua0602.manage.microsoft.com
fei.amsua0602.manage.microsoft.com
portal.fei.amsua0602.manage.microsoft.com
m.fei.amsua0602.manage.microsoft.com
fei.msub01.manage.microsoft.com
portal.fei.msub01.manage.microsoft.com
m.fei.msub01.manage.microsoft.com
fei.msub01.manage.microsoft.com
portal.fei.msub01.manage.microsoft.com
m.fei.msub01.manage.microsoft.com
fei.amsub0102.manage.microsoft.com
portal.fei.amsub0102.manage.microsoft.com
m.fei.amsub0102.manage.microsoft.com
fei.amsub0102.manage.microsoft.com
portal.fei.amsub0102.manage.microsoft.com
m.fei.amsub0102.manage.microsoft.com
fei.msub02.manage.microsoft.com
portal.fei.msub02.manage.microsoft.com
m.fei.msub02.manage.microsoft.com
fei.msub02.manage.microsoft.com
portal.fei.msub02.manage.microsoft.com
m.fei.msub02.manage.microsoft.com
fei.msub03.manage.microsoft.com
portal.fei.msub03.manage.microsoft.com
m.fei.msub03.manage.microsoft.com
fei.msub03.manage.microsoft.com
portal.fei.msub03.manage.microsoft.com
m.fei.msub03.manage.microsoft.com
fei.msub05.manage.microsoft.com
portal.fei.msub05.manage.microsoft.com
m.fei.msub05.manage.microsoft.com
fei.msub05.manage.microsoft.com
portal.fei.msub05.manage.microsoft.com
m.fei.msub05.manage.microsoft.com
fei.msuc01.manage.microsoft.com
portal.fei.msuc01.manage.microsoft.com
m.fei.msuc01.manage.microsoft.com
fei.msuc01.manage.microsoft.com
portal.fei.msuc01.manage.microsoft.com
m.fei.msuc01.manage.microsoft.com
fei.msuc02.manage.microsoft.com
portal.fei.msuc02.manage.microsoft.com
m.fei.msuc02.manage.microsoft.com
fei.msuc02.manage.microsoft.com
portal.fei.msuc02.manage.microsoft.com
m.fei.msuc02.manage.microsoft.com
fei.msuc03.manage.microsoft.com
portal.fei.msuc03.manage.microsoft.com
m.fei.msuc03.manage.microsoft.com
fei.msuc03.manage.microsoft.com
portal.fei.msuc03.manage.microsoft.com
m.fei.msuc03.manage.microsoft.com
fei.msuc05.manage.microsoft.com
portal.fei.msuc05.manage.microsoft.com
m.fei.msuc05.manage.microsoft.com
fei.msuc05.manage.microsoft.com
portal.fei.msuc05.manage.microsoft.com
m.fei.msuc05.manage.microsoft.com
fef.msua01.manage.microsoft.com
fef.msua02.manage.microsoft.com
fef.msua04.manage.microsoft.com
fef.msua05.manage.microsoft.com
fef.msua06.manage.microsoft.com
fef.msua07.manage.microsoft.com
fef.msub01.manage.microsoft.com
fef.msub02.manage.microsoft.com
fef.msub03.manage.microsoft.com
fef.msub05.manage.microsoft.com
fef.msuc01.manage.microsoft.com
fef.msuc02.manage.microsoft.com
fef.msuc03.manage.microsoft.com
fef.msuc05.manage.microsoft.com
Intune network configuration requirements
OneDrive for Business onedrive.com

*.onedrive.com
onedrive.live.com
login.live.com
spoprod-a.akamaihd.net
*.mesh.com
p.sfx.ms
*.microsoft.com
fabric.io
*.crashlytics.com
vortex.data.microsoft.com
https://posarprodcssservice.accesscontrol.windows.net
redemptionservices.accesscontrol.windows.net
token.cp.microsoft.com/
tokensit.cp.microsoft-tst.com/
*.office.com
*.officeapps.live.com
*.aria.microsoft.com
*.mobileengagement.windows.net
*.branch.io
*.adjust.com
*.servicebus.windows.net
vas.samsungapps.com
odc.officeapps.live.com
login.windows.net
login.microsoftonline.com
*.files.1drv.com
*.onedrive.live.com
*.*.onedrive.live.com
storage.live.com
*.storage.live.com
*.*.storage.live.com
*.groups.office.live.com
*.groups.photos.live.com
*.groups.skydrive.live.com
favorites.live.com
oauth.live.com
photos.live.com
skydrive.live.com
api.live.net
apis.live.net
docs.live.net
*.docs.live.net
policies.live.net
*.policies.live.net
settings.live.net
*.settings.live.net
skyapi.live.net
snapi.live.net
*.livefilestore.com
*.*.livefilestore.com
storage.msn.com
*.storage.msn.com
*.*.storage.msn.com
Required URLs and ports for OneDrive
Microsoft Defender Advanced Threat Protection (ATP) \ *.oms.opinsights.azure.com
*.blob.core.windows.net
*.azure-automation.net
*.ods.opinsights.azure.com
winatp-gw-cus.microsoft.com
winatp-gw-eus.microsoft.com
winatp-gw-neu.microsoft.com
winatp-gw-weu.microsoft.com
winatp-gw-uks.microsoft.com
winatp-gw-ukw.microsoft.com
winatp-gw-aus.microsoft.com
winatp-gw-aue.microsoft.com
Windows Defender ATP endpoints
Get Help *.support.services.microsoft.com
inprod.support.services.microsoft.com
supportchannels.services.microsoft.com
graph.windows.net
login.windows.net
prod-mwaas-services-customerapi.azurewebsites.net
concierge.live.com
rave.office.net
Quick Assist remoteassistance.support.services.microsoft.com
relay.support.services.microsoft.com
channelwebsdks.azureedge.net
web.vortex.data.microsoft.com
gateway.channelservices.microsoft.com
*.lync.com
SharePoint Online *.sharepoint.com
\ *.svc.ms
<tenant>.sharepoint.com
<tenant>-my.sharepoint.com
<tenant>-files.sharepoint.com
<tenant>-myfiles.sharepoint.com
*.sharepointonline.com
cdn.sharepointonline.com
static.sharepointonline.com
spoprod-a.akamaihd.net
publiccdn.sharepointonline.com
privatecdn.sharepointonline.com
Office 365 URLs and IP address ranges
OneDrive for Business admin.onedrive.com
officeclient.microsoft.com
odc.officeapps.live.com
skydrive.wns.windows.com
g.live.com
oneclient.sfx.ms
*.log.optimizely.com
click.email.microsoftonline.com
ssw.live.com
storage.live.com
Office 365 URLs and IP address ranges
Microsoft Teams *.teams.skype.com
*.teams.microsoft.com
teams.microsoft.com
*.asm.skype.com
\ *.cc.skype.com
*.conv.skype.com
*.dc.trouter.io
*.msg.skype.com
prod.registrar.skype.com
prod.tpc.skype.com
*.broker.skype.com
*.config.skype.com
*.pipe.skype.com
*.pipe.aria.microsoft.com
config.edge.skype.com
pipe.skype.com
s-0001.s-msedge.net
s-0004.s-msedge.net
scsinstrument-ss-us.trafficmanager.net
scsquery-ss-
us.trafficmanager.net
scsquery-ss-eu.trafficmanager.net
scsquery-ss-asia.trafficmanager.net
*.msedge.net
compass-ssl.microsoft.com
feedback.skype.com
*.secure.skypeassets.com
mlccdnprod.azureedge.net
videoplayercdn.osi.office.net
*.mstea.ms
Office 365 URLs and IP address ranges
Power BI maxcdn.bootstrapcdn.com
ajax.aspnetcdn.com
netdna.bootstrapcdn.com
cdn.optimizely.com
google-analytics.com
*.mktoresp.com
*.aadcdn.microsoftonline-p.com
*.msecnd.com
*.localytics.com
ajax.aspnetcdn.com
*.localytics.com
*.virtualearth.net
platform.bing.com
powerbi.microsoft.com
c.microsoft.com
app.powerbi.com
*.powerbi.com
dc.services.visualstudio.com
support.powerbi.com
go.microsoft.com
c1.microsoft.com
*.azureedge.net
Power BI & Express Route
OneNote apis.live.net
www.onedrive.com
login.microsoft.com
www.onenote.com
*.onenote.com
*.msecnd.net
*.microsoft.com
*.office.net
cdn.onenote.net
site-cdn.onenote.net
cdn.optimizely.com
Ajax.aspnetcdn.com
officeapps.live.com
\*.onenote.com
*cdn.onenote.net
contentstorage.osi.office.net
*onenote.officeapps.live.com
*.microsoft.com
Office 365 URLs and IP address ranges

Steps to get ready for Microsoft Managed Desktop

  1. Review prerequisites for Microsoft Managed Desktop.
  2. Run readiness assessment tools.
  3. Buy Company Portal.
  4. Review prerequisites for guest accounts.
  5. Check network configuration (this article).
  6. Prepare certificates and network profiles.
  7. Prepare user access to data.
  8. Prepare apps.
  9. Prepare mapped drives.
  10. Prepare printing resources.
  11. Address device names.