Previous

Next

Identify the endpoints required for Microsoft 365 to function properly

Completed

Because Microsoft 365 is a Software as a Service (SaaS) application, it has a large number of URLs and IP addresses representing Microsoft 365 service front-end servers. These URLs and IP addresses are referred to as endpoints. They can be used by customers to identify specific network traffic that's destined for Microsoft 365.

The following table identifies the IP Addresses and URLs that are required for Microsoft 365 to function correctly.

Note

The Row column identifies whether there's a specific subnet you must use if configuring the routing table for your network. The ExpressRoute for Microsoft 365 BGP Communities column identifies whether Microsoft 365 IP prefixes advertised over ExpressRoute have service-specific BGP community values.

Row

Purpose / Destination

ExpressRoute for Microsoft 365 BGP Communities

CIDR Address

Port

1

Required: Internet egress and DNS resolution as close to the user as possible. Ensure public resources such as certificate revocation lists are accessible. Destination: Microsoft 365 uses many different certificate providers. See the Office 365 Certificate Chains site for the complete list of known Microsoft 365 root certificates that customers may come across when accessing Microsoft 365.

No

N/A

TCP 80 and 443

2

Required: Microsoft 365 portal Destination: *.office365.com admin.microsoft.com

No

portal and shared IP ranges

TCP 443

3

Required: Microsoft 365 portal and shared infrastructure (including Cloud App Security and Delve) Destination: *.portal.cloudappsecurity.com *.us.portal.cloudappsecurity.com *.eu.portal.cloudappsecurity.com *.eu2.portal.cloudappsecurity.com *.us2.portal.cloudappsecurity.com *.us3.portal.cloudappsecurity.com <tenant>.onmicrosoft.com account.office.net agent.office.net apc.delve.office.com aus.delve.office.com can.delve.office.com delve.office.com eur.delve.office.com gbr.delve.office.com home.office.com ind.delve.office.com jpn.delve.office.com kor.delve.office.com lam.delve.office.com nam.delve.office.com portal.office.com outlook.office365.com suite.office.net webshell.suite.office.com office.com

Yes

portal and shared IP ranges and Exchange Online IP ranges.

TCP 443

4

Required: Microsoft 365 Aria service (used with Skype for Business Online, Microsoft Teams, StaffHub, Outlook App, and other services). Destination: *.aria.microsoft.com browser.pipe.aria.microsoft.com mobile.pipe.aria.microsoft.com

Yes

Skype for Business IP ranges.

TCP 443

5

Required: Microsoft 365 portal (including shared Telemetry) Destination: portal.microsoftonline.com clientlog.portal.office.com nexus.officeapps.live.com nexusrules.officeapps.live.com

No

portal and shared IP ranges - Internet-only IPs.

TCP 443

6

Required: shared infrastructure, help, and CDNs Destination: amp.azure.net *.o365weve.com auth.gfx.ms appsforoffice.microsoft.com assets.onestore.ms az826701.vo.msecnd.net c.microsoft.com c1.microsoft.com client.hip.live.com contentstorage.osi.office.net dgps.support.microsoft.com learn.microsoft.com groupsapi-prod.outlookgroups.ms groupsapi2-prod.outlookgroups.ms groupsapi3-prod.outlookgroups.ms groupsapi4-prod.outlookgroups.ms learn.microsoft.com msdn.microsoft.com platform.linkedin.com products.office.com prod.msocdn.com r1.res.office365.com r4.res.office365.com res.delve.office.com shellprod.msocdn.com support.content.office.net support.microsoft.com support.office.com technet.microsoft.com templates.office.com video.osi.office.net videocontent.osi.office.net videoplayercdn.osi.office.net

No

N/A

TCP 443

7

Required: Security and Compliance Center, including audit APIs, and Advanced eDiscovery Destination: *.manage.office.com *.protection.office.com manage.office.com protection.office.com

Yes

portal and shared IP ranges

TCP 443

8

Optional: Security and Compliance Center PST Import and eDiscovery Export Destination: *.blob.core.windows.net

No

N/A

TCP 443

9

Optional: third-party Office integration (including CDNs) Destination: *.helpshift.com *.localytics.com analytics.localytics.com api.localytics.com connect.facebook.net firstpartyapps.oaspapps.com outlook.uservoice.com prod.firstpartyapps.oaspapps.com.akadns.net rink.hockeyapp.net sdk.hockeyapp.net telemetryservice.firstpartyapps.oaspapps.com web.localytics.com webanalytics.localytics.com wus-firstpartyapps.oaspapps.com

No

N/A

TCP 443

10

Optional: some Microsoft 365 features require endpoints within these domains. (including CDNs) Note: Many specific FQDNs within these wildcards have been published recently as Microsoft works to either remove or better explain its guidance relating to these wildcards. Destination: *.microsoft.com *.msocdn.com *.office.com *.office.net *.onmicrosoft.com

No

N/A

TCP 80 and 443

11

Optional: Microsoft Azure RemoteApp Destination: liverdcxstorage.blob.core.windowsazure.com telemetry.remoteapp.windowsazure.com vortex.data.microsoft.com

No

N/A

TCP 443

12

Optional:

• Graph.windows.net

• SecureScore

• Azure AD Device Registration

• Forms

• StaffHub

• Application Insights

• captcha services

Destination: *.blob.core.windows.net *.hockeyapp.net *.sharepointonline.com *.staffhub.office.com api.office.com enterpriseregistration.windows.net dc.applicationinsights.microsoft.com dc.services.visualstudio.com forms.microsoft.com forms.office.com graph.windows.net manage.office.com mem.gfx.ms office365servicehealthcommunications.cloudapp.net securescore.office.com signup.microsoft.com staffhub.ms staffhubweb.azureedge.net staffhub.office.com staffhub.uservoice.com weu-000.forms.osi.office.net wus-000.forms.osi.office.net neu-000.forms.osi.office.net eus2-000.forms.osi.office.net ea-000.forms.osi.office.net watson.telemetry.microsoft.com wu.client.hip.live.com

No

N/A

TCP 443

13

Optional: Import Service for PST and file ingestion Destination: refer to the import service for more requirements.

14

Optional: Remote Connectivity Analyzer - Initiate connectivity tests. Destination: testconnectivity.microsoft.com

No

13.67.59.89/32 40.69.150.142/32 40.85.91.8/32 104.211.54.99/32 104.211.54.134/32

TCP 80 and 443

15

Optional:Remote Connectivity Analyzer - Execution of the tests selected by the customer. Source of network requests: testconnectivity.microsoft.com Destination: on-premises systems for email and collaboration.

No

customer IP ranges

80, 443, 25, POP3 on 110, 995, or Custom, IMAP4 on 143, 993, or Custom

16

Optional:Microsoft Support and Recover Assistant for Office 365 - validate single sign-on user credentials. Source:

• o365diagnosticsbasic-eus.cloudapp.net (104.211.54.99)
• o365diagnosticworker-eus.cloudapp.net (104.211.54.134)

Destination: on-premises STS

No

customer IP ranges

customer configurable. Typically TCP 443

Additional reading. For more information, see the following article on optional URL’s and IP address ranges.

Continue