Network endpoints for Microsoft Intune
This article lists IP addresses and port settings needed for proxy settings in your Microsoft Intune deployments.
As a cloud-only service, Intune doesn't require an on-premises infrastructure such as servers or gateways.
Access for managed devices
To manage devices behind firewalls and proxy servers, you must enable communication for Intune.
Note
The information in this section also applies to the Microsoft Intune Certificate Connector. The connector has the same network requirements as managed devices.
- The proxy server must support both HTTP (80) and HTTPS (443) because Intune clients use both protocols. Windows Information Protection uses port 444.
- For some tasks (like downloading software updates for the classic pc agent), Intune requires unauthenticated proxy server access to manage.microsoft.com
Note
The inspection of SSL traffic is not supported to 'manage.microsoft.com' endpoint.
You can modify proxy server settings on individual client computers. You can also use Group Policy settings to change settings for all client computers located behind a specified proxy server.
Managed devices require configurations that let All Users access services through firewalls.
To make it easier to configure services through firewalls, we have onboarded with the Office 365 Endpoint service. At this time, the Intune services are accessed through a PowerShell script. There are other dependent services for Intune which are already covered as part of the M365 Service and are marked as 'required'. Services already covered by M365 are not included in the script to avoid duplication. By using the following PowerShell script, you can retrieve the list of IP addresses for the Intune service. This provides the same list as the subnets indicated in the IP address table below.
(invoke-restmethod -Uri ("https://endpoints.office.com/endpoints/WorldWide?ServiceAreas=MEM`&clientrequestid=" + ([GUID]::NewGuid()).Guid)) | ?{$_.ServiceArea -eq "MEM" -and $_.ips} | select -unique -ExpandProperty ips
By using the following PowerShell script, you can retrieve the list of FQDNs used by Intune and Autopilot.
(invoke-restmethod -Uri ("https://endpoints.office.com/endpoints/WorldWide?ServiceAreas=MEM`&clientrequestid=" + ([GUID]::NewGuid()).Guid)) | ?{$_.ServiceArea -eq "MEM" -and $_.urls} | select -unique -ExpandProperty urls
This provides a convenient method to list and review all services required by Intune and autopilot in one location. You will also need FQDN's that are covered as part of M365 Requirements. For reference this is the list of URL's returned, and the service they are tied to.
| FQDN | Associated Service |
|---|---|
| *.manage.microsoft.com | Intune Service |
| manage.microsoft.com | Intune Service |
| *.delivery.mp.microsoft.com | Delivery Optimization |
| *.prod.do.dsp.mp.microsoft.com | Delivery Optimization |
| *.update.microsoft.com | Delivery Optimization |
| *.windowsupdate.com | Delivery Optimization |
| emdl.ws.microsoft.com | Delivery Optimization |
| tsfe.trafficshaping.dsp.mp.microsoft.com | Delivery Optimization |
| time.windows.com | NTP Sync |
| www.msftconnecttest.com | NTP Sync |
| www.msftncsi.com | NTP Sync |
| *.s-microsoft.com | Windows Notifications & Store |
| clientconfig.passport.net | Windows Notifications & Store |
| windowsphone.com | Windows Notifications & Store |
| approdimedatahotfix.azureedge.net | Scripts & Win32 Apps |
| approdimedatapri.azureedge.net | Scripts & Win32 Apps |
| approdimedatasec.azureedge.net | Scripts & Win32 Apps |
| euprodimedatahotfix.azureedge.net | Scripts & Win32 Apps |
| euprodimedatapri.azureedge.net | Scripts & Win32 Apps |
| euprodimedatasec.azureedge.net | Scripts & Win32 Apps |
| naprodimedatahotfix.azureedge.net | Scripts & Win32 Apps |
| naprodimedatapri.azureedge.net | Scripts & Win32 Apps |
| swda01-mscdn.azureedge.net | Scripts & Win32 Apps |
| swda02-mscdn.azureedge.net | Scripts & Win32 Apps |
| swdb01-mscdn.azureedge.net | Scripts & Win32 Apps |
| swdb02-mscdn.azureedge.net | Scripts & Win32 Apps |
| swdc01-mscdn.azureedge.net | Scripts & Win32 Apps |
| swdc02-mscdn.azureedge.net | Scripts & Win32 Apps |
| swdd01-mscdn.azureedge.net | Scripts & Win32 Apps |
| swdd02-mscdn.azureedge.net | Scripts & Win32 Apps |
| swdin01-mscdn.azureedge.net | Scripts & Win32 Apps |
| swdin02-mscdn.azureedge.net | Scripts & Win32 Apps |
| *.notify.windows.com | Push Notifications |
| *.wns.windows.com | Push Notifications |
| *.dl.delivery.mp.microsoft.com | Delivery Optimization |
| *.do.dsp.mp.microsoft.com | Delivery Optimization |
| *.emdl.ws.microsoft.com | Delivery Optimization |
| ekcert.spserv.microsoft.com | Autopilot Self-deploy |
| ekop.intel.com | Autopilot Self-deploy |
| ftpm.amd.com | Autopilot Self-deploy |
| *.itunes.apple.com | Apple Device Management |
| *.mzstatic.com | Apple Device Management |
| *.phobos.apple.com | Apple Device Management |
| 5-courier.push.apple.com | Apple Device Management |
| ax.itunes.apple.com.edgesuite.net | Apple Device Management |
| itunes.apple.com | Apple Device Management |
| ocsp.apple.com | Apple Device Management |
| phobos.apple.com | Apple Device Management |
| phobos.itunes-apple.com.akadns.net | Apple Device Management |
| intunecdnpeasd.azureedge.net | |
| *.channelservices.microsoft.com | Remote Help |
| *.go-mpulse.net | Remote Help |
| *.infra.lync.com | Remote Help |
| *.resources.lync.com | Remote Help |
| *.support.services.microsoft.com | Remote Help |
| *.trouter.skype.com | Remote Help |
| *.vortex.data.microsoft.com | Remote Help |
| edge.skype.com | Remote Help |
| remoteassistanceprodacs.communication.azure.com | Remote Help |
| lgmsapeweu.blob.core.windows.net | Collect Diagnostics |
The following tables list the ports and services that the Intune client accesses:
| Domains | IP address |
|---|---|
| login.microsoftonline.com *.officeconfig.msocdn.com config.office.com graph.windows.net enterpriseregistration.windows.net |
More information Office 365 URLs and IP address ranges |
| *.manage.microsoft.com manage.microsoft.com |
104.46.162.96/27 13.67.13.176/28 13.67.15.128/27 13.69.231.128/28 13.69.67.224/28 13.70.78.128/28 13.70.79.128/27 13.71.199.64/28 13.73.244.48/28 13.74.111.192/27 13.77.53.176/28 13.86.221.176/28 13.89.174.240/28 13.89.175.192/28 20.189.172.160/27 20.189.229.0/25 20.191.167.0/25 20.37.153.0/24 20.37.192.128/25 20.38.81.0/24 20.41.1.0/24 20.42.1.0/24 20.42.130.0/24 20.42.224.128/25 20.43.129.0/24 20.44.19.224/27 20.49.93.160/27 20.192.174.216/29 20.192.159.40/29 20.204.193.12/30 20.204.193.10/31 40.119.8.128/25 40.67.121.224/27 40.70.151.32/28 40.71.14.96/28 40.74.25.0/24 40.78.245.240/28 40.78.247.128/27 40.79.197.64/27 40.79.197.96/28 40.80.180.208/28 40.80.180.224/27 40.80.184.128/25 40.82.248.224/28 40.82.249.128/25 52.150.137.0/25 52.162.111.96/28 52.168.116.128/27 52.182.141.192/27 52.236.189.96/27 52.240.244.160/27 |
Network requirements for PowerShell scripts and Win32 apps
If you're using Intune to deploy PowerShell scripts or Win32 apps, you'll also need to grant access to endpoints in which your tenant currently resides.
To find your tenant location (or Azure Scale Unit (ASU)), sign in to the Microsoft Intune admin center, choose Tenant administration > Tenant details. The location is under Tenant location as something like North America 0501 or Europe 0202. Look for the matching number in the following table. That row will tell you which storage name and CDN endpoints to grant access to. The rows are differentiated by geographic region, as indicated by the first two letters in the names (na = North America, eu = Europe, ap = Asia Pacific). Your tenant location will be one of these three regions although your organization’s actual geographic location might be elsewhere.
| Azure Scale Unit (ASU) | Storage name | CDN |
|---|---|---|
| AMSUA0601 AMSUA0602 AMSUA0101 AMSUA0102 AMSUA0201 AMSUA0202 AMSUA0401 AMSUA0402 AMSUA0501 AMSUA0502 AMSUA0701 AMSUA0702 AMSUA0801 AMSUA0901 |
naprodimedatapri naprodimedatasec naprodimedatahotfix |
naprodimedatapri.azureedge.net naprodimedatasec.azureedge.net naprodimedatahotfix.azureedge.net |
| AMSUB0101 AMSUB0102 AMSUB0201 AMSUB0202 AMSUB0301 AMSUB0302 AMSUB0501 AMSUB0502 AMSUB0601 AMSUB0701 |
euprodimedatapri euprodimedatasec euprodimedatahotfix |
euprodimedatapri.azureedge.net euprodimedatasec.azureedge.net euprodimedatahotfix.azureedge.net |
| AMSUC0101 AMSUC0201 AMSUC0301 AMSUC0501 AMSUD0101 |
approdimedatapri approdimedatasec approdimedatahotifx |
approdimedatapri.azureedge.net approdimedatasec.azureedge.net approdimedatahotfix.azureedge.net |
Windows Push Notification Services (WNS)
For Intune-managed Windows devices managed using Mobile Device Management (MDM), device actions and other immediate activities require the use of Windows Push Notification Services (WNS). For more information, see Allowing Windows Notification traffic through enterprise firewalls.
Delivery Optimization port requirements
Port requirements
For peer-to-peer traffic, Delivery Optimization uses 7680 for TCP/IP or 3544 for NAT traversal (optionally Teredo). For client-service communication, it uses HTTP or HTTPS over port 80/443.
Proxy requirements
To use Delivery Optimization, you must allow Byte Range requests. For more information, see Proxy requirements for Windows Update.
Firewall requirements
Allow the following hostnames through your firewall to support Delivery Optimization. For communication between clients and the Delivery Optimization cloud service:
- *.do.dsp.mp.microsoft.com
For Delivery Optimization metadata:
- *.dl.delivery.mp.microsoft.com
- *.emdl.ws.microsoft.com
Apple device network information
| Used for | Hostname (IP address/subnet) | Protocol | Port |
|---|---|---|---|
| Retrieving and displaying content from Apple servers | itunes.apple.com *.itunes.apple.com *.mzstatic.com *.phobos.apple.com *.phobos.itunes-apple.com.akadns.net |
HTTP | 80 |
| Communications with APNS servers | #-courier.push.apple.com '#' is a random number from 0 to 50. |
TCP | 5223 and 443 |
| Various functionalities including accessing the World Wide Web, iTunes store, macOS app store, iCloud, messaging, etc. | phobos.apple.com ocsp.apple.com ax.itunes.apple.com ax.itunes.apple.com.edgesuite.net |
HTTP/HTTPS | 80 or 443 |
For more information, see Use Apple products on enterprise networks, TCP and UDP ports used by Apple software products, About macOS, iOS/iPadOS, and iTunes server host connections and iTunes background processes, and If your macOS and iOS/iPadOS clients aren't getting Apple push notifications.
Android port information
Depending on how you choose to manage Android devices, you may need to open the Google Android Enterprise ports and/or the Android push notification. For more information on Android management methods supported, see the Android enrollment documentation.
Note
Because Google Mobile Services isn't available in China, devices in China managed by Intune can't use features that require Google Mobile Services. These features include: Google Play Protect capabilities such as SafetyNet device attestation, Managing apps from the Google Play Store, Android Enterprise capabilities (see this Google documentation). Additionally, the Intune Company Portal app for Android uses Google Mobile Services to communicate with the Microsoft Intune service. Because Google Play services isn't available in China, some tasks can require up to 8 hours to finish. For more information, see this article.
Android (AOSP)
| Used for | Hostname (IP address/subnet) | Protocol | Port |
|---|---|---|---|
| Downloading and installing Microsoft Intune and Microsoft Authenticator apps | intunecdnpeasd.azureedge.net | HTTPS | 443 |
Google Android Enterprise
Google provides documentation of required network ports and destination host names in their Android Enterprise Bluebook, under the Firewall section of that document.
Android push notification
Intune leverages Google Firebase Cloud Messaging (FCM) for push notification to trigger device actions and check-ins. This is required by both Android Device Administrator and Android Enterprise. For information on FCM network requirements, see Google's FCM ports and your firewall.
Endpoint analytics
For more information on the required endpoints for endpoint analytics, see Endpoint analytics proxy configuration.
Microsoft Defender for Endpoint
For more information about configuring Defender for Endpoint connectivity, see Connectivity Requirements
Allow the following hostnames through your firewall to support Security Management for Defender for Endpoint. For communication between clients and the cloud service:
- *.dm.microsoft.com - The use of a wildcard supports the cloud-service endpoints that are used for enrollment, check-in, and reporting, and which can change as the service scales.
Related topics
Office 365 URLs and IP address ranges
Microsoft 365 network connectivity overview
Content delivery networks (CDNs)
Other endpoints not included in the Office 365 IP Address and URL Web service
Feedback
Submit and view feedback for