Network endpoints for Microsoft Intune

This page lists IP addresses and port settings needed for proxy settings in your Intune deployments.

As a cloud-only service, Intune doesn't require on-premises infrastructure such as servers or gateways.

Access for managed devices

To manage devices behind firewalls and proxy servers, you must enable communication for Intune.

Note

The information in this section also applies to the Microsoft Intune Certificate Connector. The connector has the same network requirements as managed devices.

  • The proxy server must support both HTTP (80) and HTTPS (443) because Intune clients use both protocols. Windows Information Protection uses port 444.
  • For some tasks (like downloading software updates for the classic pc agent), Intune requires unauthenticated proxy server access to manage.microsoft.com

Note

The inspection of SSL traffic is not supported to 'manage.microsoft.com' endpoint.

You can modify proxy server settings on individual client computers. You can also use Group Policy settings to change settings for all client computers located behind a specified proxy server.

Managed devices require configurations that let All Users access services through firewalls.

To make it easier to configure services through firewalls, we have onboarded with the Office 365 Endpoint service. At this time, the Intune services are accessed through a PowerShell script. There are other dependent services for Intune which are already covered as part of the M365 Service and are marked as 'required'. Services already covered by M365 are not included in the script to avoid duplication. By using the following PowerShell script, you can retrieve the list of IP addresses for the Intune service. This provides the same list as the subnets indicated in the IP address table below.

(invoke-restmethod -Uri ("https://endpoints.office.com/endpoints/WorldWide?ServiceAreas=MEM`&clientrequestid=" + ([GUID]::NewGuid()).Guid)) | ?{$_.ServiceArea -eq "MEM" -and $_.ips} | select -unique -ExpandProperty ips

By using the following PowerShell script, you can retrieve the list of FQDNs used by Intune and Autopilot.

(invoke-restmethod -Uri ("https://endpoints.office.com/endpoints/WorldWide?ServiceAreas=MEM`&clientrequestid=" + ([GUID]::NewGuid()).Guid)) | ?{$_.ServiceArea -eq "MEM" -and $_.urls} | select -unique -ExpandProperty urls

This provides a convenient method to list and review all services required by Intune and autopilot in one location. You will also need FQDN's that are covered as part of M365 Requirements. For reference this is the list of URL's returned, and the service they are tied to.

FQDN Associated Service
*.manage.microsoft.com Intune Service
manage.microsoft.com Intune Service
*.delivery.mp.microsoft.com Delivery Optimization
*.prod.do.dsp.mp.microsoft.com Delivery Optimization
*.update.microsoft.com Delivery Optimization
*.windowsupdate.com Delivery Optimization
emdl.ws.microsoft.com Delivery Optimization
tsfe.trafficshaping.dsp.mp.microsoft.com Delivery Optimization
time.windows.com NTP Sync
www.msftconnecttest.com NTP Sync
www.msftncsi.com NTP Sync
*.s-microsoft.com Windows Notifications & Store
clientconfig.passport.net Windows Notifications & Store
windowsphone.com Windows Notifications & Store
approdimedatahotfix.azureedge.net Scripts & Win32 Apps
approdimedatapri.azureedge.net Scripts & Win32 Apps
approdimedatasec.azureedge.net Scripts & Win32 Apps
euprodimedatahotfix.azureedge.net Scripts & Win32 Apps
euprodimedatapri.azureedge.net Scripts & Win32 Apps
euprodimedatasec.azureedge.net Scripts & Win32 Apps
naprodimedatahotfix.azureedge.net Scripts & Win32 Apps
naprodimedatapri.azureedge.net Scripts & Win32 Apps
naprodimedatasec.azureedge.net Scripts & Win32 Apps
*.notify.windows.com Push Notifications
*.wns.windows.com Push Notifications
*.dl.delivery.mp.microsoft.com Delivery Optimization
*.do.dsp.mp.microsoft.com Delivery Optimization
*.emdl.ws.microsoft.com Delivery Optimization
ekcert.spserv.microsoft.com Autopilot Self-deploy
ekop.intel.com Autopilot Self-deploy
ftpm.amd.com Autopilot Self-deploy
*.itunes.apple.com Apple Device Management
*.mzstatic.com Apple Device Management
*.phobos.apple.com Apple Device Management
5-courier.push.apple.com Apple Device Management
ax.itunes.apple.com.edgesuite.net Apple Device Management
itunes.apple.com Apple Device Management
ocsp.apple.com Apple Device Management
phobos.apple.com Apple Device Management
phobos.itunes-apple.com.akadns.net Apple Device Management
intunecdnpeasd.azureedge.net
*.channelservices.microsoft.com Remote Help
*.go-mpulse.net Remote Help
*.infra.lync.com Remote Help
*.resources.lync.com Remote Help
*.support.services.microsoft.com Remote Help
*.trouter.skype.com Remote Help
*.vortex.data.microsoft.com Remote Help
edge.skype.com Remote Help
remoteassistanceprodacs.communication.azure.com Remote Help
lgmsapeweu.blob.core.windows.net Collect Diagnostics

The following tables list the ports and services that the Intune client accesses:

Domains IP address
login.microsoftonline.com
*.officeconfig.msocdn.com
config.office.com
graph.windows.net
enterpriseregistration.windows.net
More information Office 365 URLs and IP address ranges
*.manage.microsoft.com
manage.microsoft.com
104.46.162.96/27
13.67.13.176/28
13.67.15.128/27
13.69.231.128/28
13.69.67.224/28
13.70.78.128/28
13.70.79.128/27
13.71.199.64/28
13.73.244.48/28
13.74.111.192/27
13.77.53.176/28
13.86.221.176/28
13.89.174.240/28
13.89.175.192/28
20.189.172.160/27
20.189.229.0/25
20.191.167.0/25
20.37.153.0/24
20.37.192.128/25
20.38.81.0/24
20.41.1.0/24
20.42.1.0/24
20.42.130.0/24
20.42.224.128/25
20.43.129.0/24
20.44.19.224/27
20.49.93.160/27
20.192.174.216/29
20.192.159.40/29
20.204.193.12/30
20.204.193.10/31
40.119.8.128/25
40.67.121.224/27
40.70.151.32/28
40.71.14.96/28
40.74.25.0/24
40.78.245.240/28
40.78.247.128/27
40.79.197.64/27
40.79.197.96/28
40.80.180.208/28
40.80.180.224/27
40.80.184.128/25
40.82.248.224/28
40.82.249.128/25
52.150.137.0/25
52.162.111.96/28
52.168.116.128/27
52.182.141.192/27
52.236.189.96/27
52.240.244.160/27

Network requirements for PowerShell scripts and Win32 apps

If you're using Intune to deploy PowerShell scripts or Win32 apps, you'll also need to grant access to endpoints in which your tenant currently resides.

To find your tenant location (or Azure Scale Unit (ASU)), sign in to the Microsoft Endpoint Manager admin center, choose Tenant administration > Tenant details. The location is under Tenant location as something like North America 0501 or Europe 0202. Look for the matching number in the following table. That row will tell you which storage name and CDN endpoints to grant access to. The rows are differentiated by geographic region, as indicated by the first two letters in the names (na = North America, eu = Europe, ap = Asia Pacific). Your tenant location will be one of these three regions although your organization’s actual geographic location might be elsewhere.

Azure Scale Unit (ASU) Storage name CDN
AMSUA0601
AMSUA0602
AMSUA0101
AMSUA0102
AMSUA0201
AMSUA0202
AMSUA0401
AMSUA0402
AMSUA0501
AMSUA0502
AMSUA0701
AMSUA0702
AMSUA0801
AMSUA0901
naprodimedatapri
naprodimedatasec
naprodimedatahotfix
naprodimedatapri.azureedge.net
naprodimedatasec.azureedge.net
naprodimedatahotfix.azureedge.net
AMSUB0101
AMSUB0102
AMSUB0201
AMSUB0202
AMSUB0301
AMSUB0302
AMSUB0501
AMSUB0502
AMSUB0601
AMSUB0701
euprodimedatapri
euprodimedatasec
euprodimedatahotfix
euprodimedatapri.azureedge.net
euprodimedatasec.azureedge.net
euprodimedatahotfix.azureedge.net
AMSUC0101
AMSUC0201
AMSUC0301
AMSUC0501
AMSUD0101
approdimedatapri
approdimedatasec
approdimedatahotifx
approdimedatapri.azureedge.net
approdimedatasec.azureedge.net
approdimedatahotfix.azureedge.net

Windows Push Notification Services (WNS)

For Intune-managed Windows devices managed using Mobile Device Management (MDM), device actions and other immediate activities require the use of Windows Push Notification Services (WNS). For more information, see Allowing Windows Notification traffic through enterprise firewalls.

Delivery Optimization port requirements

Port requirements

For peer-to-peer traffic, Delivery Optimization uses 7680 for TCP/IP or 3544 for NAT traversal (optionally Teredo). For client-service communication, it uses HTTP or HTTPS over port 80/443.

Proxy requirements

To use Delivery Optimization, you must allow Byte Range requests. For more information, see Proxy requirements for Windows Update.

Firewall requirements

Allow the following hostnames through your firewall to support Delivery Optimization. For communication between clients and the Delivery Optimization cloud service:

  • *.do.dsp.mp.microsoft.com

For Delivery Optimization metadata:

  • *.dl.delivery.mp.microsoft.com
  • *.emdl.ws.microsoft.com

Apple device network information

Used for Hostname (IP address/subnet) Protocol Port
Retrieving and displaying content from Apple servers itunes.apple.com
*.itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
*.phobos.itunes-apple.com.akadns.net
HTTP 80
Communications with APNS servers #-courier.push.apple.com
'#' is a random number from 0 to 50.
TCP 5223 and 443
Various functionalities including accessing the World Wide Web, iTunes store, macOS app store, iCloud, messaging, etc. phobos.apple.com
ocsp.apple.com
ax.itunes.apple.com
ax.itunes.apple.com.edgesuite.net
HTTP/HTTPS 80 or 443

For more information, see Use Apple products on enterprise networks, TCP and UDP ports used by Apple software products, About macOS, iOS/iPadOS, and iTunes server host connections and iTunes background processes, and If your macOS and iOS/iPadOS clients aren't getting Apple push notifications.

Android port information

Depending on how you choose to manage Android devices, you may need to open the Google Android Enterprise ports and/or the Android push notification. For more information on Android management methods supported, see the Android enrollment documentation.

Note

Because Google Mobile Services isn't available in China, devices in China managed by Intune can't use features that require Google Mobile Services. These features include: Google Play Protect capabilities such as SafetyNet device attestation, Managing apps from the Google Play Store, Android Enterprise capabilities (see this Google documentation). Additionally, the Intune Company Portal app for Android uses Google Mobile Services to communicate with the Microsoft Intune service. Because Google Play services isn't available in China, some tasks can require up to 8 hours to finish. For more information, see this article.

Android (AOSP)

Used for Hostname (IP address/subnet) Protocol Port
Downloading and installing Microsoft Intune and Microsoft Authenticator apps intunecdnpeasd.azureedge.net HTTPS 443

Google Android Enterprise

Google provides documentation of required network ports and destination host names in their Android Enterprise Bluebook, under the Firewall section of that document.

Android push notification

Intune leverages Google Firebase Cloud Messaging (FCM) for push notification to trigger device actions and check-ins. This is required by both Android Device Administrator and Android Enterprise. For information on FCM network requirements, see Google's FCM ports and your firewall.

Endpoint analytics

For more information on the required endpoints for endpoint analytics, see Endpoint analytics proxy configuration.

Office 365 URLs and IP address ranges

Microsoft 365 network connectivity overview

Content delivery networks (CDNs)

Other endpoints not included in the Office 365 IP Address and URL Web service

Managing Office 365 endpoints