Network endpoints for Microsoft Intune
This article lists IP addresses and port settings needed for proxy settings in your Microsoft Intune deployments.
As a cloud-only service, Intune doesn't require an on-premises infrastructure such as servers or gateways.
Access for managed devices
To manage devices behind firewalls and proxy servers, you must enable communication for Intune.
Note
The information in this section also applies to the Microsoft Intune Certificate Connector. The connector has the same network requirements as managed devices.
The endpoints in this article should be accessible via TCP port 80 and 443 via whatever method you use to allow access. Windows Information Protection uses port 444.
For some tasks, Intune requires unauthenticated proxy server access to manage.microsoft.com, *.azureedge.net, and graph.microsoft.com.
Note
The inspection of SSL traffic is not supported on 'manage.microsoft.com', 'a.manage.microsoft.com', or 'dm.microsoft.com' endpoints.
Note
Allow HTTP Partial response is required for Scripts & Win32 Apps endpoints.
You can modify proxy server settings on individual client computers. You can also use Group Policy settings to change settings for all client computers located behind a specified proxy server.
Managed devices require configurations that let All Users access services through firewalls.
To make it easier to configure services through firewalls, we have onboarded with the Office 365 Endpoint service. At this time, the Intune services are accessed through a PowerShell script. There are other dependent services for Intune, which are already covered as part of the Microsoft 365 Service and are marked as 'required'. Services already covered by Microsoft 365 aren't included in the script to avoid duplication. By using the following PowerShell script, you can retrieve the list of IP addresses for the Intune service. This provides the same list as the subnets indicated in the IP address table below.
(invoke-restmethod -Uri ("https://endpoints.office.com/endpoints/WorldWide?ServiceAreas=MEM`&`clientrequestid=" + ([GUID]::NewGuid()).Guid)) | ?{$_.ServiceArea -eq "MEM" -and $_.ips} | select -unique -ExpandProperty ips
By using the following PowerShell script, you can retrieve the list of FQDNs used by Intune and dependent services.
(invoke-restmethod -Uri ("https://endpoints.office.com/endpoints/WorldWide?ServiceAreas=MEM`&`clientrequestid=" + ([GUID]::NewGuid()).Guid)) | ?{$_.ServiceArea -eq "MEM" -and $_.urls} | select -unique -ExpandProperty urls
The script provides a convenient method to list and review all services required by Intune and Autopilot in one location. Additional properties can be returned from the endpoint service such as the category property, which indicates whether the FQDN or IP should be configured as Allow, Optimize or Default.
You'll also need FQDNs that are covered as part of Microsoft 365 Requirements. For reference, the following table is the list of URLs returned, and the service they're tied to.
FQDN | Associated Service |
---|---|
*.manage.microsoft.com | Intune Service |
manage.microsoft.com | Intune Service |
*.prod.do.dsp.mp.microsoft.com | Windows Update and Delivery Optimization |
*.windowsupdate.com | Windows Update and Delivery Optimization |
*.dl.delivery.mp.microsoft.com | Windows Update and Delivery Optimization |
*.update.microsoft.com | Windows Update and Delivery Optimization |
*.delivery.mp.microsoft.com | Windows Update and Delivery Optimization |
tsfe.trafficshaping.dsp.mp.microsoft.com | Windows Update and Delivery Optimization |
emdl.ws.microsoft.com | Delivery Optimization |
*.do.dsp.mp.microsoft.com | Delivery Optimization |
*.emdl.ws.microsoft.com | Delivery Optimization |
*.notify.windows.com | Push Notifications |
*.wns.windows.com | Push Notifications |
devicelistenerprod.microsoft.com | Windows Update for Business deployment service |
devicelistenerprod.eudb.microsoft.com | Windows Update for Business deployment service |
login.windows.net | Windows Update for Business deployment service |
payloadprod*.blob.core.windows.net | Windows Update for Business deployment service |
time.windows.com | NTP Sync |
www.msftconnecttest.com | NTP Sync |
www.msftncsi.com | NTP Sync |
*.s-microsoft.com | Windows Notifications & Store |
clientconfig.passport.net | Windows Notifications & Store |
windowsphone.com | Windows Notifications & Store |
approdimedatahotfix.azureedge.net | Scripts & Win32 Apps |
approdimedatapri.azureedge.net | Scripts & Win32 Apps |
approdimedatasec.azureedge.net | Scripts & Win32 Apps |
euprodimedatahotfix.azureedge.net | Scripts & Win32 Apps |
euprodimedatapri.azureedge.net | Scripts & Win32 Apps |
euprodimedatasec.azureedge.net | Scripts & Win32 Apps |
naprodimedatahotfix.azureedge.net | Scripts & Win32 Apps |
naprodimedatapri.azureedge.net | Scripts & Win32 Apps |
swda01-mscdn.azureedge.net | Scripts & Win32 Apps |
swda02-mscdn.azureedge.net | Scripts & Win32 Apps |
swdb01-mscdn.azureedge.net | Scripts & Win32 Apps |
swdb02-mscdn.azureedge.net | Scripts & Win32 Apps |
swdc01-mscdn.azureedge.net | Scripts & Win32 Apps |
swdc02-mscdn.azureedge.net | Scripts & Win32 Apps |
swdd01-mscdn.azureedge.net | Scripts & Win32 Apps |
swdd02-mscdn.azureedge.net | Scripts & Win32 Apps |
swdin01-mscdn.azureedge.net | Scripts & Win32 Apps |
swdin02-mscdn.azureedge.net | Scripts & Win32 Apps |
ekcert.spserv.microsoft.com | Autopilot Self-deploy |
ekop.intel.com | Autopilot Self-deploy |
ftpm.amd.com | Autopilot Self-deploy |
*.itunes.apple.com | Apple Device Management |
*.mzstatic.com | Apple Device Management |
*.phobos.apple.com | Apple Device Management |
5-courier.push.apple.com | Apple Device Management |
ax.itunes.apple.com.edgesuite.net | Apple Device Management |
itunes.apple.com | Apple Device Management |
ocsp.apple.com | Apple Device Management |
phobos.apple.com | Apple Device Management |
phobos.itunes-apple.com.akadns.net | Apple Device Management |
intunecdnpeasd.azureedge.net | |
*.channelservices.microsoft.com | Remote Help |
*.go-mpulse.net | Remote Help |
*.infra.lync.com | Remote Help |
*.resources.lync.com | Remote Help |
*.support.services.microsoft.com | Remote Help |
*.trouter.skype.com | Remote Help |
*.vortex.data.microsoft.com | Remote Help |
edge.skype.com | Remote Help |
remoteassistanceprodacs.communication.azure.com | Remote Help |
lgmsapeweu.blob.core.windows.net | Collect Diagnostics |
fd.api.orgmsg.microsoft.com | Organizational messages |
ris.prod.api.personalization.ideas.microsoft.com | Organizational messages |
contentauthassetscdn-prod.azureedge.net | Organizational messages |
contentauthassetscdn-prodeur.azureedge.net | Organizational messages |
contentauthrafcontentcdn-prod.azureedge.net | Organizational messages |
contentauthrafcontentcdn-prodeur.azureedge.net | Organizational messages |
The following tables list the ports and services that the Intune client accesses:
Domains | IP address |
---|---|
login.microsoftonline.com *.officeconfig.msocdn.com config.office.com graph.windows.net enterpriseregistration.windows.net |
More information Office 365 URLs and IP address ranges |
*.manage.microsoft.com manage.microsoft.com |
104.46.162.96/27 13.67.13.176/28 13.67.15.128/27 13.69.231.128/28 13.69.67.224/28 13.70.78.128/28 13.70.79.128/27 13.71.199.64/28 13.73.244.48/28 13.74.111.192/27 13.77.53.176/28 13.86.221.176/28 13.89.174.240/28 13.89.175.192/28 20.189.172.160/27 20.189.229.0/25 20.191.167.0/25 20.37.153.0/24 20.37.192.128/25 20.38.81.0/24 20.41.1.0/24 20.42.1.0/24 20.42.130.0/24 20.42.224.128/25 20.43.129.0/24 20.44.19.224/27 20.49.93.160/27 20.192.174.216/29 20.192.159.40/29 20.204.193.12/30 20.204.193.10/31 40.119.8.128/25 40.67.121.224/27 40.70.151.32/28 40.71.14.96/28 40.74.25.0/24 40.78.245.240/28 40.78.247.128/27 40.79.197.64/27 40.79.197.96/28 40.80.180.208/28 40.80.180.224/27 40.80.184.128/25 40.82.248.224/28 40.82.249.128/25 52.150.137.0/25 52.162.111.96/28 52.168.116.128/27 52.182.141.192/27 52.236.189.96/27 52.240.244.160/27 |
Network requirements for PowerShell scripts and Win32 apps
If you're using Intune to deploy PowerShell scripts or Win32 apps, you'll also need to grant access to endpoints in which your tenant currently resides.
To find your tenant location (or Azure Scale Unit (ASU)), sign in to the Microsoft Intune admin center, choose Tenant administration > Tenant details. The location is under Tenant location as something like North America 0501 or Europe 0202. Look for the matching number in the following table. That row will tell you which storage name and CDN endpoints to grant access to. The rows are differentiated by geographic region, as indicated by the first two letters in the names (na = North America, eu = Europe, ap = Asia Pacific). Your tenant location is one of these three regions although your organization's actual geographic location might be elsewhere.
Azure Scale Unit (ASU) | Storage name | CDN |
---|---|---|
AMSUA0601 AMSUA0602 AMSUA0101 AMSUA0102 AMSUA0201 AMSUA0202 AMSUA0401 AMSUA0402 AMSUA0501 AMSUA0502 AMSUA0601 AMSUA0701 AMSUA0702 AMSUA0801 AMSUA0901 |
naprodimedatapri naprodimedatasec naprodimedatahotfix |
naprodimedatapri.azureedge.net naprodimedatasec.azureedge.net naprodimedatahotfix.azureedge.net |
AMSUB0101 AMSUB0102 AMSUB0201 AMSUB0202 AMSUB0301 AMSUB0302 AMSUB0501 AMSUB0502 AMSUB0601 AMSUB0701 |
euprodimedatapri euprodimedatasec euprodimedatahotfix |
euprodimedatapri.azureedge.net euprodimedatasec.azureedge.net euprodimedatahotfix.azureedge.net |
AMSUC0101 AMSUC0201 AMSUC0301 AMSUC0501 AMSUC0601 AMSUD0101 |
approdimedatapri approdimedatasec approdimedatahotifx |
approdimedatapri.azureedge.net approdimedatasec.azureedge.net approdimedatahotfix.azureedge.net |
Microsoft Store
Managed Windows devices using the Microsoft Store – either to acquire, install, or update apps – will need access to these endpoints.
Microsoft Store API (AppInstallManager):
- displaycatalog.md.mp.microsoft.com
- purchase.md.mp.microsoft.com
- licensing.mp.microsoft.com
- storeedgefd.dsx.mp.microsoft.com
Windows Update Agent:
For details, see the following resources:
- Manage connection endpoints for Windows 11 Enterprise
- Manage connection endpoints for Windows 10 Enterprise, version 21H2
Win32 content download:
Win32 content download locations and endpoints are unique per application and are provided by the external publisher. You can find the location for each Win32 Store app using the following command on a test system (you can obtain the [PackageId] for a Store app by referencing the Package Identifier property of the app after adding it to Microsoft Intune):
winget show [PackageId]
The Installer Url property will either show the external download location or the region-based (Microsoft-hosted) fallback cache based on whether the cache is in-use. Note that the content download location can change between the cache and external location.
Microsoft-hosted Win32 app fallback cache:
- Varies by region, example: sparkcdneus2.azureedge.net, sparkcdnwus2.azureedge.net
Delivery Optimization (optional, required for peering): For details, see the following resource:
Windows Push Notification Services (WNS)
For Intune-managed Windows devices managed using Mobile Device Management (MDM), device actions and other immediate activities require the use of Windows Push Notification Services (WNS). For more information, see Allowing Windows Notification traffic through enterprise firewalls.
Migrating device health attestation compliance policies to Microsoft Azure attestation
If a customer enables any of the Windows 10/11 Compliance policy - Device Health settings, then Windows 11 devices will begin to use a Microsoft Azure Attestation (MAA) service based on their Intune tenant location. However, Windows 10 and GCCH/DOD environments will continue to use the existing Device Health Attestation DHA endpoint 'has.spserv.microsoft.com' for device health attestation reporting and isn't impacted by this change.
If a customer has firewall policies that prevent access to the new Intune MAA service for Windows 11, then Windows 11 devices with assigned compliance policies using any of the device health settings (BitLocker, Secure Boot, Code Integrity) will fall out of compliance as they're unable to reach the MAA attestation endpoints for their location.
Ensure there are no firewall rules blocking outbound HTTPS/443 traffic to the endpoints listed in this section based on your Intune tenant's location. To find your tenant location navigate to the Intune admin center > Tenant administration > Tenant status > Tenant details, see Tenant location.
North America based locations:
'https://intunemaape1.eus.attest.azure.net'
'https://intunemaape2.eus2.attest.azure.net'
'https://intunemaape3.cus.attest.azure.net'
'https://intunemaape4.wus.attest.azure.net'
'https://intunemaape5.scus.attest.azure.net'
'https://intunemaape6.ncus.attest.azure.net'
Europe based locations:
'https://intunemaape7.neu.attest.azure.net'
'https://intunemaape8.neu.attest.azure.net'
'https://intunemaape9.neu.attest.azure.net'
'https://intunemaape10.weu.attest.azure.net'
'https://intunemaape11.weu.attest.azure.net'
'https://intunemaape12.weu.attest.azure.net'
Asia Pacific locations:
'https://intunemaape13.jpe.attest.azure.net'
'https://intunemaape17.jpe.attest.azure.net'
'https://intunemaape18.jpe.attest.azure.net'
'https://intunemaape19.jpe.attest.azure.net'
Delivery Optimization port requirements
Port requirements
For peer-to-peer traffic, Delivery Optimization uses 7680 for TCP/IP or 3544 for NAT traversal (optionally Teredo). For client-service communication, it uses HTTP or HTTPS over port 80/443.
Proxy requirements
To use Delivery Optimization, you must allow Byte Range requests. For more information, see Proxy requirements for Windows Update.
Firewall requirements
Allow the following hostnames through your firewall to support Delivery Optimization. For communication between clients and the Delivery Optimization cloud service:
- *.do.dsp.mp.microsoft.com
For Delivery Optimization metadata:
- *.dl.delivery.mp.microsoft.com
- *.emdl.ws.microsoft.com
Apple device network information
Used for | Hostname (IP address/subnet) | Protocol | Port |
---|---|---|---|
Retrieving and displaying content from Apple servers | itunes.apple.com *.itunes.apple.com *.mzstatic.com *.phobos.apple.com *.phobos.itunes-apple.com.akadns.net |
HTTP | 80 |
Communications with APNS servers | #-courier.push.apple.com '#' is a random number from 0 to 50. |
TCP | 5223 and 443 |
Various functionalities including accessing the World Wide Web, iTunes store, macOS app store, iCloud, messaging, etc. | phobos.apple.com ocsp.apple.com ax.itunes.apple.com ax.itunes.apple.com.edgesuite.net |
HTTP/HTTPS | 80 or 443 |
For more information, see Use Apple products on enterprise networks, TCP and UDP ports used by Apple software products, About macOS, iOS/iPadOS, and iTunes server host connections and iTunes background processes, and If your macOS and iOS/iPadOS clients aren't getting Apple push notifications.
Android port information
Depending on how you choose to manage Android devices, you may need to open the Google Android Enterprise ports and/or the Android push notification. For more information on Android management methods supported, see the Android enrollment documentation.
Note
Because Google Mobile Services isn't available in China, devices in China managed by Intune can't use features that require Google Mobile Services. These features include: Google Play Protect capabilities such as SafetyNet device attestation, Managing apps from the Google Play Store, Android Enterprise capabilities (see this Google documentation). Additionally, the Intune Company Portal app for Android uses Google Mobile Services to communicate with the Microsoft Intune service. Because Google Play services isn't available in China, some tasks can require up to 8 hours to finish. For more information, see this article.
Android (AOSP)
Used for | Hostname (IP address/subnet) | Protocol | Port |
---|---|---|---|
Downloading and installing Microsoft Intune and Microsoft Authenticator apps | intunecdnpeasd.azureedge.net | HTTPS | 443 |
Google Android Enterprise
Google provides documentation of required network ports and destination host names in their Android Enterprise Bluebook, under the Firewall section of that document.
Android push notification
Intune leverages Google Firebase Cloud Messaging (FCM) for push notification to trigger device actions and check-ins. This is required by both Android Device Administrator and Android Enterprise. For information on FCM network requirements, see Google's FCM ports and your firewall.
Endpoint analytics
For more information on the required endpoints for endpoint analytics, see Endpoint analytics proxy configuration.
Microsoft Defender for Endpoint
For more information about configuring Defender for Endpoint connectivity, see Connectivity Requirements
Allow the following hostnames through your firewall to support Defender for Endpoint security settings management. For communication between clients and the cloud service:
*.dm.microsoft.com - The use of a wildcard supports the cloud-service endpoints that are used for enrollment, check-in, and reporting, and which can change as the service scales.
Important
SSL Inspection is not supported on the 'dm.microsoft.com' endpoint.
Microsoft Intune Endpoint Privilege Management
Allow the following hostnames through your firewall to support Endpoint Privilege Management.
For communication between clients and the cloud service:
*.dm.microsoft.com - The use of a wildcard supports the cloud-service endpoints that are used for enrollment, check-in, and reporting, and which can change as the service scales.
*.events.data.microsoft.com - Used by Intune-managed devices to send optional reporting data to the Intune data collection endpoint.
Important
SSL Inspection is not supported on the 'dm.microsoft.com' endpoint.
For more information, see the Overview of Endpoint Privilege Management
Related topics
Office 365 URLs and IP address ranges
Microsoft 365 network connectivity overview
Content delivery networks (CDNs)
Other endpoints not included in the Office 365 IP Address and URL Web service
Feedback
Submit and view feedback for