Configure network ports and protocols for Microsoft Teams
All clients that use Office 365 cloud-based services, including Microsoft Teams, need to connect to the Office 365 endpoints. Office 365 endpoints represent set of destination IP addresses, DNS domain names, and URLs for Office 365 traffic on the Internet.
Different Office 365 clients and devices connect to Office 365 services through multiple network paths and network equipment, including switches, routers, proxy servers, and firewalls. To optimize the performance to Office 365 cloud-based services, the network admins should configure network equipment according to the Office 365 endpoints requirement.
For Teams, you must open TCP ports 80 and 443 and UDP ports 3478 through 3481 from the clients to the internet. The TCP ports are used to connect to web-based content such as SharePoint, Exchange Online, and the Teams Chat services. Plug-ins and connectors also connect over these TCP ports. The four UDP ports are used for media such as audio and video, to ensure they flow correctly.
| Scenario | Source IP/Port | Destination IP/Port |
|---|---|---|
| Non-real-time traffic | Client IP / High ports | Office 365 / 80, 443 TCP |
| Real-time media traffic | Client IP / 50,000-50,059 UDP | Transport Relays / 3478-3481 UDP |
Change management for Office 365 IP addresses and URLs
The Office 365 endpoints change regularly. If you do not manage these changes, you can end up with users blocked or with poor performance after a new IP address or URL is added in Office 365, but the firewall team has not been informed.
Changes to the Microsoft 365 IP addresses and URLs are usually published near the last day of each month. Sometimes a change is published outside of that schedule due to operational, support, or security requirements.
When a change is published that requires you to act because an IP address or URL was added, you should expect to receive 30 days notice from the time we publish the change until there's a Microsoft 365 service on that endpoint. This is reflected as the Effective Date. Although we aim for this notification period, it might not always be possible due to operational, support, or security requirements. Changes that don't require immediate action to maintain connectivity, such as removed IP addresses or URLs or less significant changes, don't include advance notification. In these instances, no Effective Date is provided. Regardless of what notification is provided, we list the expected service active date for each change.
For more information see Microsoft 365 IP Address and URL web service.
Change notification using the Office 365 IP address and URL web service
You can use the Office 365 IP address and URL web service to get change notifications. We recommend you call the /version web method once an hour to check the version of the endpoints that you are using to connect to Office 365. If this version changes when compared to the version that you have in use, then you should get the latest endpoint data from the /endpoints web method and optionally get the differences from the /changes web method. It is not necessary to call the /endpoints or /changes web methods if there has not been any change to the version you found.
Change notification using RSS feeds
The Office 365 IP address and URL web service provide an RSS feed that you can subscribe to in Outlook. There are links to the RSS URLs on each of the Office 365 service instance-specific pages for the IP addresses and URLs.
Change notification and approval review using Power Automate
You can also use Power Automate to create a flow that notifies you by email and optionally runs an approval process for changes when Office 365 network endpoints have changes. Once the review is finished, you can have the flow automatically email the changes to your firewall and proxy server management team.
For more information, see: