Other endpoints not included in the Microsoft 365 IP Address and URL Web service
Some network endpoints were previously published and haven't been included in the Microsoft 365 IP Address and URL Web Service. The web service publishes network endpoints that are required for Microsoft 365 connectivity across an enterprise perimeter network. This scope currently doesn't include:
- Network connectivity that might be required from a Microsoft datacenter to a customer network (inbound hybrid server network traffic).
- Network connectivity from servers on a customer network across the enterprise perimeter (outbound server network traffic).
- Uncommon scenarios for network connectivity requirements from a user.
- DNS resolution connectivity requirement (not listed below).
- Internet Explorer or Microsoft Edge Trusted Sites.
Apart from DNS, these instances are all optional for most customers unless you need the specific scenario that is described.
| Row | Purpose | Destination | Type |
|---|---|---|---|
| 1 | Import Service for PST and file ingestion | Refer to the Import Service for more requirements. | Uncommon outbound scenario |
| 2 | Microsoft Support and Recovery Assistant for Office 365 | https://autodiscover.outlook.com https://officecdn.microsoft.com https://api.diagnostics.office.com https://apibasic.diagnostics.office.com https://autodiscover-s.outlook.com https://cloudcheckenabler.azurewebsites.net https://login.live.com https://login.microsoftonline.com https://login.windows.net https://o365diagtelemetry.trafficmanager.net https://odc.officeapps.live.com https://offcatedge.azureedge.net https://officeapps.live.com https://outlook.office365.com https://outlookdiagnostics.azureedge.net https://sara.api.support.microsoft.com |
Outbound server traffic |
| 3 | Microsoft Entra Connect (w/SSO option) WinRM & remote PowerShell |
Customer STS environment (AD FS Server and AD FS Proxy) | TCP ports 80 & 443 | Inbound server traffic |
| 4 | STS such as AD FS Proxy servers (for federated customers only) | Customer STS (such as AD FS Proxy) | Ports TCP 443 or TCP 49443 w/ClientTLS | Inbound server traffic |
| 5 | Exchange Online Unified Messaging/SBC integration | Bidirectional between on-premises Session Border Controller and *.um.outlook.com | Outbound server-only traffic |
| 6 | Mailbox Migration When mailbox migration is initiated from on-premises Exchange Hybrid to Microsoft 365, Microsoft 365 connects to your published Exchange Web Services (EWS)/Mailbox Replication Services (MRS) server. If you need to allow inbound connections only from specific source IP ranges, create a permit rule for the IP addresses listed in the Exchange Online table in Microsoft 365 URL & IP ranges. To ensure that connectivity to published EWS endpoints (like OWA) isn't blocked, make sure the MRS proxy resolves to a separate FQDN and public IP address before you restrict connections. |
Customer on-premises EWS/MRS Proxy TCP port 443 |
Inbound server traffic |
| 7 | Exchange Hybrid coexistence functions such as Free/Busy sharing. | Customer on-premises Exchange server | Inbound server traffic |
| 8 | Exchange Hybrid proxy authentication | Customer on-premises STS | Inbound server traffic |
| 9 | Used to configure Exchange Hybrid, using the Exchange Hybrid Configuration Wizard Note: These endpoints are only required to configure Exchange hybrid |
domains.live.com on TCP ports 80 & 443, only required for Exchange 2010 SP3 Hybrid Configuration Wizard GCC High, DoD IP addresses: 40.118.209.192/32; 168.62.190.41/32 Worldwide Commercial & GCC: *.store.core.windows.net; asl.configure.office.com; tds.configure.office.com; mshybridservice.trafficmanager.net ; |
Outbound server-only traffic |
| 10 | The AutoDetect service is used in Exchange Hybrid scenarios with Hybrid Modern Authentication with Outlook for iOS and Android |
Customer on-premises Exchange server on TCP 443 | Inbound server traffic |
| 11 | Exchange hybrid Microsoft Entra authentication | *.msappproxy.net | TCP outbound server-only traffic |
| 12 | Skype for Business in Office 2016 includes video based screen sharing, which uses UDP ports. Prior Skype for Business clients in Office 2013 and earlier used RDP over TCP port 443. | TCP port 443 opens to 52.112.0.0/14 | Skype for Business older client versions in Office 2013 and earlier |
| 13 | Skype for Business hybrid on-premises server connectivity to Skype for Business Online | 13.107.64.0/18, 52.112.0.0/14 UDP ports 50,000-59,999 TCP ports 50,000-59,999; 5061 |
Skype for Business on-premises server outbound connectivity |
| 14 | Cloud PSTN with on-premises hybrid connectivity requires network connectivity open to the on-premises hosts. For more details about Skype for Business Online hybrid configurations | See Plan hybrid connectivity between Skype for Business Server and Office 365 | Skype for Business on-premises hybrid inbound |
| 15 | Authentication and identity FQDNs The FQDN |
Trusted Sites | |
| 16 | Microsoft Teams FQDNs If you are using Internet Explorer or Microsoft Edge, you need to enable first, and third-party cookies and add the FQDNs for Teams to your Trusted Sites. This is in addition to the suite-wide FQDNs, CDNs, and telemetry listed in row 14. See Known issues for Microsoft Teams for more information. |
Trusted Sites | |
| 17 | SharePoint Online and OneDrive for Business FQDNs All '.sharepoint.com' FQDNs with '<tenant>' in the FQDN need to be in your client's IE or Edge Trusted Sites Zone to function. In addition to the suite-wide FQDNs, CDNs, and telemetry listed in row 14, you need to also add these endpoints. |
Trusted Sites | |
| 18 | Yammer Yammer is only available in the browser and requires the authenticated user to be passed through a proxy. All Yammer FQDNs need to be in your client's IE or Edge Trusted Sites Zone to function. |
Trusted Sites | |
| 19 | Use Microsoft Entra Connect to sync on-premises user accounts to Microsoft Entra ID. | See Hybrid Identity Required Ports and Protocols, Troubleshoot Microsoft Entra connectivity, and Microsoft Entra Connect Health Agent Installation. | Outbound server-only traffic |
| 20 | Microsoft Entra Connect with 21 ViaNet in China to sync on-premises user accounts to Microsoft Entra ID. | *.digicert.com:80 *.entrust.net:80 *.chinacloudapi.cn:443 secure.aadcdn.partner.microsoftonline-p.cn:443 *.partner.microsoftonline.cn:443 Also see Troubleshoot ingress with Microsoft Entra connectivity issues. |
Outbound server-only traffic |
| 21 | Microsoft Stream (needs the Microsoft Entra user token). Microsoft 365 Worldwide (including GCC) |
*.cloudapp.net *.api.microsoftstream.com *.notification.api.microsoftstream.com amp.azure.net api.microsoftstream.com az416426.vo.msecnd.net s0.assets-yammer.com vortex.data.microsoft.com web.microsoftstream.com TCP port 443 |
Inbound server traffic |
| 22 | Use MFA server for multifactor authentication requests, both new installations of the server and setting it up with Active Directory Domain Services (AD DS). | See Getting started with the Azure Multi-Factor Authentication Server. | Outbound server-only traffic |
| 23 | Microsoft Graph Change Notifications Developers can use change notifications to subscribe to events in the Microsoft Graph. |
Public Cloud: 52.159.23.209, 52.159.17.84, 13.78.204.0, 52.148.24.136, 52.148.27.39, 52.147.213.251, 52.147.213.181, 20.127.53.125, 40.76.162.99, 40.76.162.42, 70.37.95.92, 70.37.95.11, 70.37.92.195, 70.37.93.191, 70.37.90.219, 20.9.36.45, 20.9.35.166, 20.9.36.128, 20.9.37.73, 20.9.37.76, 20.96.21.67, 20.69.245.215, 104.46.117.15, 20.96.21.98, 20.96.21.115, 137.135.11.161, 137.135.11.116, 20.253.156.113, 137.135.11.222, 137.135.11.250, 52.159.107.50, 52.159.107.4, 52.159.124.33, 52.159.109.205, 52.159.102.72, 20.98.68.182, 20.98.68.57, 20.98.68.200, 20.98.68.203, 20.98.68.218, 20.171.81.121, 20.25.189.138, 20.171.82.192, 20.171.83.146, 20.171.83.157, 52.142.114.29, 52.142.115.31, 20.223.139.245, 51.104.159.213, 51.104.159.181, 51.124.75.43, 51.124.73.177, 104.40.209.182, 51.138.90.7, 51.138.90.52, 20.199.102.157, 20.199.102.73, 20.216.150.67, 20.111.9.46, 20.111.9.77, 13.87.81.123, 13.87.81.35, 20.90.99.1, 13.87.81.133, 13.87.81.141, 20.91.212.211, 20.91.212.136, 20.91.213.57, 20.91.208.88, 20.91.209.147, 20.44.210.83, 20.44.210.146, 20.212.153.162, 52.148.115.48, 52.148.114.238, 40.80.232.177, 40.80.232.118, 52.231.196.24, 40.80.233.14, 40.80.239.196, 20.48.12.75, 20.48.11.201, 20.89.108.161, 20.48.14.35, 20.48.15.147, 104.215.13.23, 104.215.6.169, 20.89.240.165, 104.215.18.55, 104.215.12.254 20.20.32.0/19, 20.190.128.0/18, 20.231.128.0/19, 40.126.0.0/18, 2603:1006:2000::/48, 2603:1007:200::/48, 2603:1016:1400::/48, 2603:1017::/48, 2603:1026:3000::/48, 2603:1027:1::/48, 2603:1036:3000::/48, 2603:1037:1::/48, 2603:1046:2000::/48, 2603:1047:1::/48, 2603:1056:2000::/48, 2603:1057:2::/48 Microsoft Cloud for US Government: 52.244.33.45, 52.244.35.174, 52.243.157.104, 52.243.157.105, 52.182.25.254, 52.182.25.110, 52.181.25.67, 52.181.25.66, 52.244.111.156, 52.244.111.170, 52.243.147.249, 52.243.148.19, 52.182.32.51, 52.182.32.143, 52.181.24.199, 52.181.24.220 20.140.232.0/23, 52.126.194.0/23, 2001:489a:3500::/50 Microsoft Cloud China operated by 21Vianet: 42.159.72.35, 42.159.72.47, 42.159.180.55, 42.159.180.56, 40.125.138.23, 40.125.136.69, 40.72.155.199, 40.72.155.216 40.72.70.0/23, 52.130.2.32/27, 52.130.3.64/27, 52.130.17.192/27, 52.130.18.32/27, 2406:e500:5500::/48 TCP port 443 Note: Developers can specify different ports when creating the subscriptions. |
Inbound server traffic |
| 24 | Network Connection Status Indicator Used by Windows 10 and 11 to determine if the computer is connected to the internet (does not apply to non-Windows clients). When this URL cannot be reached, Windows assumes it isn't connected to the Internet and M365 Apps for Enterprise will not try to verify activation status, causing connections to Exchange and other services to fail. |
www.msftconnecttest.com Also see Manage connection endpoints for Windows 11 Enterprise and Manage connection endpoints for Windows 10 Enterprise, version 21H2. |
Outbound server-only traffic |
| 25 | Teams Notifications on Mobile Devices Used by Android and Apple mobile devices to receive push notifications to the Teams client for incoming calls and other Teams services. When these ports are blocked, all push notifications to mobile devices fail. |
For specific ports, see FCM ports and your firewall in the Google Firebase documentation and If your Apple devices aren't getting Apple push notifications. | Outbound server-only traffic |
Related Topics
Managing Microsoft 365 endpoints
Monitor Microsoft 365 connectivity
Azure IP Ranges and Service Tags – Public Cloud
Azure IP Ranges and Service Tags – US Government Cloud
Azure IP Ranges and Service Tags – Germany Cloud