Network endpoints for Microsoft Intune

This article lists IP addresses and port settings needed for proxy settings in your Microsoft Intune deployments.

As a cloud-only service, Intune doesn't require an on-premises infrastructure such as servers or gateways.

Access for managed devices

To manage devices behind firewalls and proxy servers, you must enable communication for Intune.

Note

The information in this section also applies to the Microsoft Intune Certificate Connector. The connector has the same network requirements as managed devices.

  • The endpoints in this article allow access to the ports identified in the following tables.

  • For some tasks, Intune requires unauthenticated proxy server access to manage.microsoft.com, *.azureedge.net, and graph.microsoft.com.

    Note

    The inspection of SSL traffic is not supported on 'manage.microsoft.com', 'a.manage.microsoft.com', or 'dm.microsoft.com' endpoints.

You can modify proxy server settings on individual client computers. You can also use Group Policy settings to change settings for all client computers located behind a specified proxy server.

Managed devices require configurations that let All Users access services through firewalls.

PowerShell script

To make it easier to configure services through firewalls, we have onboarded with the Office 365 Endpoint service. At this time, the Intune endpoint information is accessed through a PowerShell script. There are other dependent services for Intune, which are already covered as part of the Microsoft 365 Service and are marked as 'required'. Services already covered by Microsoft 365 aren't included in the script to avoid duplication.

By using the following PowerShell script, you can retrieve the list of IP addresses for the Intune service.

(invoke-restmethod -Uri ("https://endpoints.office.com/endpoints/WorldWide?ServiceAreas=MEM`&`clientrequestid=" + ([GUID]::NewGuid()).Guid)) | ?{$_.ServiceArea -eq "MEM" -and $_.ips} | select -unique -ExpandProperty ips

By using the following PowerShell script, you can retrieve the list of FQDNs used by Intune and dependent services. When you run the script, the URLs in the script output may be different then the URLs in the following tables. At a minimum, make sure you include the URLs in the tables.

(invoke-restmethod -Uri ("https://endpoints.office.com/endpoints/WorldWide?ServiceAreas=MEM`&`clientrequestid=" + ([GUID]::NewGuid()).Guid)) | ?{$_.ServiceArea -eq "MEM" -and $_.urls} | select -unique -ExpandProperty urls

The script provides a convenient method to list and review all services required by Intune and Autopilot in one location. Additional properties can be returned from the endpoint service such as the category property, which indicates whether the FQDN or IP should be configured as Allow, Optimize or Default.

Endpoints

You'll also need FQDNs that are covered as part of Microsoft 365 Requirements. For reference, the following tables show the service they're tied to, and the list of URLs returned.

The data columns shown in the tables are:

ID: The ID number of the row, also known as an endpoint set. This ID is the same as is returned by the web service for the endpoint set.

Category: Shows whether the endpoint set is categorized as Optimize, Allow, or Default. This column also lists which endpoint sets are required to have network connectivity. For endpoint sets that aren't required to have network connectivity, we provide notes in this field to indicate what functionality would be missing if the endpoint set is blocked. If you're excluding an entire service area, the endpoint sets listed as required don't require connectivity.

You can read about these categories and guidance for their management in New Microsoft 365 endpoint categories.

ER: This is Yes/True if the endpoint set is supported over Azure ExpressRoute with Microsoft 365 route prefixes. The BGP community that includes the route prefixes shown aligns with the service area listed. When ER is No / False, then ExpressRoute is not supported for this endpoint set.

Addresses: Lists the FQDNs or wildcard domain names and IP address ranges for the endpoint set. Note that an IP address range is in CIDR format and may include many individual IP addresses in the specified network.

Ports: Lists the TCP or UDP ports that are combined with listed IP addresses to form the network endpoint. You may notice some duplication in IP address ranges where there are different ports listed.

Intune core service

ID Desc Category ER Addresses Ports
163 Endpoint Manager client and host service Allow
Required
False *.manage.microsoft.com
manage.microsoft.com
EnterpriseEnrollment.manage.microsoft.com
104.46.162.96/27, 13.67.13.176/28, 13.67.15.128/27, 13.69.231.128/28, 13.69.67.224/28, 13.70.78.128/28, 13.70.79.128/27, 13.71.199.64/28, 13.73.244.48/28, 13.74.111.192/27, 13.77.53.176/28, 13.86.221.176/28,13.89.174.240/28, 13.89.175.192/28, 20.189.229.0/25, 20.191.167.0/25, 20.37.153.0/24, 20.37.192.128/25, 20.38.81.0/24, 20.41.1.0/24, 20.42.1.0/24, 20.42.130.0/24, 20.42.224.128/25, 20.43.129.0/24, 20.44.19.224/27, 20.49.93.160/27, 40.119.8.128/25, 40.67.121.224/27, 40.70.151.32/28, 40.71.14.96/28, 40.74.25.0/24, 40.78.245.240/28, 40.78.247.128/27, 40.79.197.64/27, 40.79.197.96/28, 40.80.180.208/28, 40.80.180.224/27, 40.80.184.128/25, 40.82.248.224/28, 40.82.249.128/25, 52.150.137.0/25, 52.162.111.96/28, 52.168.116.128/27, 52.182.141.192/27, 52.236.189.96/27, 52.240.244.160/27, 20.204.193.12/30, 20.204.193.10/31, 20.192.174.216/29, 20.192.159.40/29
TCP: 80, 443
172 MDM Delivery Optimization Default
Required
False *.do.dsp.mp.microsoft.com
*.dl.delivery.mp.microsoft.com
*.emdl.ws.microsoft.com
kv801.prod.do.dsp.mp.microsoft.com
geo.prod.do.dsp.mp.microsoft.com
emdl.ws.microsoft.com
2.dl.delivery.mp.microsoft.com
bg.v4.emdl.ws.microsoft.com
TCP: 7680, 3544, 80, 443
170 MEM - PS and Win32Apps Default
Required
False swda01-mscdn.azureedge.net
swda02-mscdn.azureedge.net
swdb01-mscdn.azureedge.net
swdb02-mscdn.azureedge.net
swdc01-mscdn.azureedge.net
swdc02-mscdn.azureedge.net
swdd01-mscdn.azureedge.net
swdd02-mscdn.azureedge.net
swdin01-mscdn.azureedge.net
swdin02-mscdn.azureedge.net
TCP: 443

Autopilot dependencies

ID Desc Category ER Addresses Ports
164 Autopilot - Windows Update Default
Required
False *.download.windowsupdate.com
*.windowsupdate.com
*.dl.delivery.mp.microsoft.com
*.prod.do.dsp.mp.microsoft.com
emdl.ws.microsoft.com
*.delivery.mp.microsoft.com
*.update.microsoft.com
tsfe.trafficshaping.dsp.mp.microsoft.com
au.download.windowsupdate.com
2.dl.delivery.mp.microsoft.com
download.windowsupdate.com
dl.delivery.mp.microsoft.com
geo.prod.do.dsp.mp.microsoft.com
catalog.update.microsoft.com
TCP: 443
165 Autopilot - NTP Sync Default
Required
False time.windows.com
www.msftncsi.com
www.msftconnecttest.com
169 Autopilot - WNS Dependencies Default
Required
False clientconfig.passport.net
windowsphone.com
*.s-microsoft.com
www.msftncsi.com
c.s-microsoft.com
173 Autopilot - 3rd party deployment dependencies Default
Required
False ekop.intel.com
ekcert.spserv.microsoft.com
ftpm.amd.com
TCP: 443
182 Autopilot - Diagnostics upload Default
Required
False lgmsapeweu.blob.core.windows.net
TCP: 443

Remote Help

ID Desc Category ER Addresses Ports Notes
181 MEM - Remote Help Feature Default
Required
False *.support.services.microsoft.com
remoteassistance.support.services.microsoft.com
rdprelayv3eastusprod-0.support.services.microsoft.com
*.trouter.skype.com
remoteassistanceprodacs.communication.azure.com
edge.skype.com
aadcdn.msftauth.net
aadcdn.msauth.net
alcdn.msauth.net
wcpstatic.microsoft.com
*.aria.microsoft.com
browser.pipe.aria.microsoft.com
*.events.data.microsoft.com
v10.events.data.microsoft.com
*.monitor.azure.com
js.monitor.azure.com
edge.microsoft.com
*.trouter.communication.microsoft.com
go.trouter.communication.microsoft.com
*.trouter.teams.microsoft.com
trouter2-usce-1-a.trouter.teams.microsoft.com
api.flightproxy.skype.com
ecs.communication.microsoft.com
remotehelp.microsoft.com
trouter-azsc-usea-0-a.trouter.skype.com
TCP: 443
187 Dependency - Remote Help web pubsub Default
Required
False *.webpubsub.azure.com
AMSUA0101-RemoteAssistService-pubsub.webpubsub.azure.com
TCP: 443
188 Remote Help Dependancy for GCC customers Default
Required
False remoteassistanceweb-gcc.usgov.communication.azure.us
gcc.remotehelp.microsoft.com
gcc.relay.remotehelp.microsoft.com
TCP: 443

Intune dependencies

In this section, the following tables list the Intune dependencies and the ports and services that the Intune client accesses.

Windows Push Notification Services(WNS) dependencies

ID Desc Category ER Addresses Ports
171 MEM - WNS Dependencies Default
Required
False *.notify.windows.com
*.wns.windows.com
sinwns1011421.wns.windows.com
sin.notify.windows.com
TCP: 443

For Intune-managed Windows devices managed using Mobile Device Management (MDM), device actions and other immediate activities require the use of Windows Push Notification Services (WNS). For more information, see Allowing Windows Notification traffic through enterprise firewalls.

Delivery optimization dependencies

ID Desc Category ER Addresses Ports
172 MDM - Delivery Optimization Dependencies Default
Required
False *.do.dsp.mp.microsoft.com
*.dl.delivery.mp.microsoft.com
*.emdl.ws.microsoft.com
kv801.prod.do.dsp.mp.microsoft.com
geo.prod.do.dsp.mp.microsoft.com
emdl.ws.microsoft.com
2.dl.delivery.mp.microsoft.com
bg.v4.emdl.ws.microsoft.com
TCP: 443

Port requirements - For peer-to-peer traffic, Delivery Optimization uses 7680 for TCP/IP or 3544 for NAT traversal (optionally Teredo). For client-service communication, it uses HTTP or HTTPS over port 80/443.

Proxy requirements - To use Delivery Optimization, you must allow Byte Range requests. For more information, see Proxy requirements for Windows Update.

Firewall requirements - Allow the following hostnames through your firewall to support Delivery Optimization. For communication between clients and the Delivery Optimization cloud service:

  • *.do.dsp.mp.microsoft.com

For Delivery Optimization metadata:

  • *.dl.delivery.mp.microsoft.com
  • *.emdl.ws.microsoft.com

Apple dependencies

ID Desc Category ER Addresses Ports
178 MEM - Apple Dependencies Default
Required
False itunes.apple.com
*.itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
phobos.itunes-apple.com.akadns.net
5-courier.push.apple.com
phobos.apple.com
ocsp.apple.com
ax.itunes.apple.com
ax.itunes.apple.com.edgesuite.net
s.mzstatic.com
a1165.phobos.apple.com
TCP: 80, 443, 5223

For more information, see Use Apple products on enterprise networks, TCP and UDP ports used by Apple software products, About macOS, iOS/iPadOS, and iTunes server host connections and iTunes background processes, and If your macOS and iOS/iPadOS clients aren't getting Apple push notifications.

Android AOSP dependencies

ID Desc Category ER Addresses Ports
179 MEM - Android AOSP Dependency Default
Required
False intunecdnpeasd.azureedge.net
TCP: 443

Note

Because Google Mobile Services isn't available in China, devices in China managed by Intune can't use features that require Google Mobile Services. These features include: Google Play Protect capabilities such as SafetyNet device attestation, Managing apps from the Google Play Store, Android Enterprise capabilities (see this Google documentation). Additionally, the Intune Company Portal app for Android uses Google Mobile Services to communicate with the Microsoft Intune service. Because Google Play services isn't available in China, some tasks can require up to 8 hours to finish. For more information, see this article.

Android port information - Depending on how you choose to manage Android devices, you may need to open the Google Android Enterprise ports and/or the Android push notification. For more information on Android management methods supported, see the Android enrollment documentation.

Google Android Enterprise - Google provides documentation of required network ports and destination host names in their Android Enterprise Bluebook, under the Firewall section of that document.

Android push notification - Intune leverages Google Firebase Cloud Messaging (FCM) for push notification to trigger device actions and check-ins. This is required by both Android Device Administrator and Android Enterprise. For information on FCM network requirements, see Google's FCM ports and your firewall.

Microsoft Azure Attestation

ID Desc Category ER Addresses Ports
186 Microsoft Azure Attestation Default
Required
False intunemaape1.eus.attest.azure.net
intunemaape2.eus2.attest.azure.net
intunemaape3.cus.attest.azure.net
intunemaape4.wus.attest.azure.net
intunemaape5.scus.attest.azure.net
intunemaape7.neu.attest.azure.net
intunemaape8.neu.attest.azure.net
intunemaape9.neu.attest.azure.net
intunemaape10.weu.attest.azure.net
intunemaape11.weu.attest.azure.net
intunemaape12.weu.attest.azure.net
intunemaape13.jpe.attest.azure.net
intunemaape17.jpe.attest.azure.net
intunemaape18.jpe.attest.azure.net
intunemaape19.jpe.attest.azure.net
TCP: 443

Authentication dependencies

ID Desc Category ER Addresses Ports
56 Authentication and Identity, includes Azure Active Directory and Azure AD related services. Allow
Required
True login.microsoftonline.com
graph.windows.net
TCP: 80, 443
150 Office Customization Service provides Office 365 ProPlus deployment configuration, application settings, and cloud based policy management. Default False *.officeconfig.msocdn.com
config.office.com
TCP: 443
59 Identity supporting services & CDNs. Default
Required
False enterpriseregistration.windows.net
TCP: 80, 443

For More information, go to Office 365 URLs and IP address ranges

Network requirements for PowerShell scripts and Win32 apps

If you're using Intune to deploy PowerShell scripts or Win32 apps, you'll also need to grant access to endpoints in which your tenant currently resides.

To find your tenant location (or Azure Scale Unit (ASU)), sign in to the Microsoft Intune admin center, choose Tenant administration > Tenant details. The location is under Tenant location as something like North America 0501 or Europe 0202. Look for the matching number in the following table. That row will tell you which storage name and CDN endpoints to grant access to. The rows are differentiated by geographic region, as indicated by the first two letters in the names (na = North America, eu = Europe, ap = Asia Pacific). Your tenant location is one of these three regions although your organization's actual geographic location might be elsewhere.

Note

Allow HTTP Partial response is required for Scripts & Win32 Apps endpoints.

Azure Scale Unit (ASU) Storage name CDN
AMSUA0601
AMSUA0602
AMSUA0101
AMSUA0102
AMSUA0201
AMSUA0202
AMSUA0401
AMSUA0402
AMSUA0501
AMSUA0502
AMSUA0601
AMSUA0701
AMSUA0702
AMSUA0801
AMSUA0901
naprodimedatapri
naprodimedatasec
naprodimedatahotfix
naprodimedatapri.azureedge.net
naprodimedatasec.azureedge.net
naprodimedatahotfix.azureedge.net
AMSUB0101
AMSUB0102
AMSUB0201
AMSUB0202
AMSUB0301
AMSUB0302
AMSUB0501
AMSUB0502
AMSUB0601
AMSUB0701
euprodimedatapri
euprodimedatasec
euprodimedatahotfix
euprodimedatapri.azureedge.net
euprodimedatasec.azureedge.net
euprodimedatahotfix.azureedge.net
AMSUC0101
AMSUC0201
AMSUC0301
AMSUC0501
AMSUC0601
AMSUD0101
approdimedatapri
approdimedatasec
approdimedatahotifx
approdimedatapri.azureedge.net
approdimedatasec.azureedge.net
approdimedatahotfix.azureedge.net

Microsoft Store

Managed Windows devices using the Microsoft Store – either to acquire, install, or update apps – will need access to these endpoints.

Microsoft Store API (AppInstallManager):

  • displaycatalog.md.mp.microsoft.com
  • purchase.md.mp.microsoft.com
  • licensing.mp.microsoft.com
  • storeedgefd.dsx.mp.microsoft.com

Windows Update Agent:

For details, see the following resources:

Win32 content download:

Win32 content download locations and endpoints are unique per application and are provided by the external publisher. You can find the location for each Win32 Store app using the following command on a test system (you can obtain the [PackageId] for a Store app by referencing the Package Identifier property of the app after adding it to Microsoft Intune):

winget show [PackageId]

The Installer Url property will either show the external download location or the region-based (Microsoft-hosted) fallback cache based on whether the cache is in-use. Note that the content download location can change between the cache and external location.

Microsoft-hosted Win32 app fallback cache:

  • Varies by region, example: sparkcdneus2.azureedge.net, sparkcdnwus2.azureedge.net

Delivery Optimization (optional, required for peering):

For details, see the following resource:

Migrating device health attestation compliance policies to Microsoft Azure attestation

If a customer enables any of the Windows 10/11 Compliance policy - Device Health settings, then Windows 11 devices will begin to use a Microsoft Azure Attestation (MAA) service based on their Intune tenant location. However, Windows 10 and GCCH/DOD environments will continue to use the existing Device Health Attestation DHA endpoint 'has.spserv.microsoft.com' for device health attestation reporting and isn't impacted by this change.

If a customer has firewall policies that prevent access to the new Intune MAA service for Windows 11, then Windows 11 devices with assigned compliance policies using any of the device health settings (BitLocker, Secure Boot, Code Integrity) will fall out of compliance as they're unable to reach the MAA attestation endpoints for their location.

Ensure there are no firewall rules blocking outbound HTTPS/443 traffic to the endpoints listed in this section based on your Intune tenant's location.

To find your tenant location navigate to the Intune admin center > Tenant administration > Tenant status > Tenant details, see Tenant location.

  • 'https://intunemaape1.eus.attest.azure.net'

  • 'https://intunemaape2.eus2.attest.azure.net'

  • 'https://intunemaape3.cus.attest.azure.net'

  • 'https://intunemaape4.wus.attest.azure.net'

  • 'https://intunemaape5.scus.attest.azure.net'

  • 'https://intunemaape6.ncus.attest.azure.net'

Endpoint analytics

For more information on the required endpoints for Endpoint analytics, see Endpoint analytics proxy configuration.

Microsoft Defender for Endpoint

For more information about configuring Defender for Endpoint connectivity, see Connectivity Requirements

Allow the following hostnames through your firewall to support Defender for Endpoint security settings management. For communication between clients and the cloud service:

  • *.dm.microsoft.com - The use of a wildcard supports the cloud-service endpoints that are used for enrollment, check-in, and reporting, and which can change as the service scales.

    Important

    SSL Inspection is not supported on the 'dm.microsoft.com' endpoint.

Microsoft Intune Endpoint Privilege Management

Allow the following hostnames through your firewall to support Endpoint Privilege Management.

For communication between clients and the cloud service:

  • *.dm.microsoft.com - The use of a wildcard supports the cloud-service endpoints that are used for enrollment, check-in, and reporting, and which can change as the service scales.

  • *.events.data.microsoft.com - Used by Intune-managed devices to send optional reporting data to the Intune data collection endpoint.

    Important

    SSL Inspection is not supported on the 'dm.microsoft.com' endpoint.

For more information, see the Overview of Endpoint Privilege Management

Office 365 URLs and IP address ranges

Microsoft 365 network connectivity overview

Content delivery networks (CDNs)

Other endpoints not included in the Office 365 IP Address and URL Web service

Managing Office 365 endpoints