Microsoft 365 services require an internet connection to operate at full efficiency. Customers, especially those on plans like GCC, are required to provide access to certain endpoints.
Microsoft 365 Plans and Access Requirements: Microsoft 365 plans offer a variety of options that appeal to different customer groups. For example, Microsoft 365 Worldwide, Microsoft 21 services operated by 365 Vianet, US Government DoD, and GCC High plans, each with different security and access requirements.
Managing Endpoint Data: Endpoint data lists which IP addresses and URLs should be used from user machines to access Microsoft 365. This data is updated regularly each month and announced 30 days before new IP addresses or URLs become active. This allows system administrators to make necessary network configurations in a timely manner. Additional updates can be made throughout the month in cases of emergencies or situations that require security updates.
Endpoint data provided by Microsoft is generated from REST-based web services, and users can access this data via a script or network device.
Endpoint Categories: Microsoft 365 endpoints are classified into three primary workloads and common resources. This classification helps network administrators manage traffic flows for specific applications. However, because some endpoints are used by multiple workloads, these groups cannot be used effectively to limit access.
- Kimlik: Each set of endpoints is assigned an ID number. This ID is the same as the ID returned by the web service.
- Category: Endpoints are categorized as “Optimize,” “Allow,” or “Default.” Endpoints in the “Optimize” category are performance-critical. Those in the “Allow” category indicate that the connection is required. Endpoints in the “Default” category provide additional functionality but are not required.
- ER (ExpressRoute): Indicates whether Microsoft 365 route prefixes are supported over Azure ExpressRoute. Endpoints marked “Yes” are supported over ExpressRoute. However, endpoints marked “No” do not benefit from this support.
IP Addresses and Ports: Endpoints connect to Microsoft 365 services using specific IP addresses and ports. These IP addresses are specified in CIDR format and cover a wide range of IP addresses. Ports can be TCP or UDP ports and vary depending on the type of endpoint.
Exchange Online URL and IP Address Lists
ID | Category | ER | Addresses | Ports |
---|---|---|---|---|
1 | Optimize Necessary | Yes | outlook.cloud.microsoft, outlook.office.com, outlook.office365.com 13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128 | TCP: 443, 80 UDP: 443 |
2 | Allow me Optional Notes: POP3, IMAP4, SMTP Client traffic | Yes | outlook.office365.com, smtp.office365.com 13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128 | TCP: 587, 993, 995, 143 |
8 | Default Necessary | No | *.outlook.com, autodiscover.<tenant>.onmicrosoft.com | TCP: 443, 80 |
9 | Allow me Necessary | Yes | *.protection.outlook.com 40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 52.238.78.88/32, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48 | TCP: 443 |
10 | Allow me Necessary | Yes | *.mail.protection.outlook.com, *.mx.microsoft 40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48 | TCP: 25 |
ID | Category | ER | Addresses | Ports |
---|---|---|---|---|
31 | Optimize Necessary | Yes | *.sharepoint.com 13.107.136.0/22, 40.108.128.0/17, 52.104.0.0/14, 104.146.128.0/17, 150.171.40.0/22, 2603:1061:1300::/40, 2620:1ec:8f8::/46, 2620:1ec:908::/46, 2a01:111:f402::/48 | TCP: 443, 80 |
32 | Default Optional Notes: OneDrive for Business: Supportability, telemetry, APIs, and email links with attachments | No | ssw.live.com, storage.live.com | TCP: 443 |
33 | Default Optional Notes: SharePoint Hybrid Search – Endpoint for SearchContentService where the hybrid explorer streams documents | No | *.search.production.apac.trafficmanager.net, *.search.production.emea.trafficmanager.net, *.search.production.us.trafficmanager.net | TCP: 443 |
35 | Default Necessary | No | *.wns.windows.com, admin.onedrive.com, officeclient.microsoft.com | TCP: 443, 80 |
36 | Default Necessary | No | g.live.com, oneclient.sfx.ms | TCP: 443, 80 |
37 | Default Necessary | No | *.sharepointonline.com, spoprod-a.akamaihd.net | TCP: 443, 80 |
39 | Default Necessary | No | *.svc.ms | TCP: 443, 80 |
Microsoft Teams URL and IP Address Lists
ID | Category | ER | Addresses | Ports |
---|---|---|---|---|
11 | Optimize Necessary | Yes | 52.112.0.0/14, 52.122.0.0/15, 2603:1063::/38 | UDP: 3478, 3479, 3480, 3481 |
12 | Allow me Necessary | Yes | *.lync.com, *.teams.cloud.microsoft, *.teams.microsoft.com, teams.cloud.microsoft, teams.microsoft.com 52.112.0.0/14, 52.122.0.0/15, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2603:1063::/38, 2620:1ec:6::/48, 2620:1ec:40::/42 | TCP: 443, 80 |
16 | Default Necessary | No | *.keydelivery.mediaservices.windows.net, *.streaming.mediaservices.windows.net, mlccdn.blob.core.windows.net | TCP: 443 |
17 | Default Necessary | No | aka.ms | TCP: 443 |
18 | Default Optional Notes:Federation with Skype and public instant messaging: Get contact picture | No | *.users.storage.live.com | TCP: 443 |
19 | Default Optional Notes: Only applicable to those deploying Conference Room Systems | No | adl.windows.com | TCP: 443, 80 |
27 | Default Necessary | No | *.secure.skypeassets.com, mlccdnprod.azureedge.net | TCP: 443 |
127 | Default Necessary | No | *.skype.com | TCP: 443, 80 |
180 | Default Necessary | No | compass-ssl.microsoft.com | TCP: 443 |
Microsoft 365 Public and Office Online URL and IP Address Lists
ID | Category | ER | Addresses | Ports |
---|---|---|---|---|
46 | Allow me Necessary | Yes | *.officeapps.live.com, *.online.office.com, office.live.com 13.107.6.171/32, 13.107.18.15/32, 13.107.140.6/32, 52.108.0.0/14, 52.244.37.168/32, 2603:1006:1400::/40, 2603:1016:2400::/40, 2603:1026:2400::/40, 2603:1036:2400::/40, 2603:1046:1400::/40, 2603:1056:1400::/40, 2603:1063:2000::/38, 2620:1ec:c::15/128, 2620:1ec:8fc::6/128, 2620:1ec:a92::171/128, 2a01:111:f100:2000::a83e:3019/128, 2a01:111:f100:2002::8975:2d79/128, 2a01:111:f100:2002::8975:2da8/128, 2a01:111:f100:7000::6fdd:6cd5/128, 2a01:111:f100:a004::bfeb:88cf/128 | TCP: 443, 80 |
47 | Default Necessary | No | *.office.net | TCP: 443, 80 |
49 | Default Necessary | No | *.onenote.com | TCP: 443 |
50 | Default Optional Notes: OneNote notebooks (wildcards) | No | *.microsoft.com | TCP: 443 |
51 | Default Necessary | No | *cdn.onenote.net | TCP: 443 |
53 | Default Necessary | No | ajax.aspnetcdn.com, apis.live.net, officeapps.live.com, www.onedrive.com | TCP: 443 |
56 | Allow me Necessary | Yes | *.auth.microsoft.com, *.msftidentity.com, *.msidentity.com, account.activedirectory.windowsazure.com, accounts.accesscontrol.windows.net, adminwebservice.microsoftonline.com, api.passwordreset.microsoftonline.com, autologon.microsoftazuread-sso.com, becws.microsoftonline.com, ccs.login.microsoftonline.com, clientconfig.microsoftonline-p.net, companymanager.microsoftonline.com, device.login.microsoftonline.com, graph.microsoft.com, graph.windows.net, login-us.microsoftonline.com, login.microsoft.com, login.microsoftonline-p.com, login.microsoftonline.com, login.windows.net, logincert.microsoftonline.com, loginex.microsoftonline.com, nexus.microsoftonline-p.com, passwordreset.microsoftonline.com, provisioningapi.microsoftonline.com 20.20.32.0/19, 20.190.128.0/18, 20.231.128.0/19, 40.126.0.0/18, 2603:1006:2000::/48, 2603:1007:200::/48, 2603:1016:1400::/48, 2603:1017::/48, 2603:1026:3000::/48, 2603:1027:1::/48, 2603:1036:3000::/48, 2603:1037:1::/48, 2603:1046:2000::/48, 2603:1047:1::/48, 2603:1056:2000::/48, 2603:1057:2::/48 | TCP: 443, 80 |
59 | Default Necessary | No | *.hip.live.com, *.microsoftonline-p.com, *.microsoftonline.com, *.msauth.net, *.msauthimages.net, *.msecnd.net, *.msftauth.net, *.msftauthimages.net, *.phonefactor.net, enterpriseregistration.windows.net, policykeyservice.dc.ad.msft.net | TCP: 443, 80 |
64 | Allow me Necessary | Yes | *.protection.office.com, *.security.microsoft.com, compliance.microsoft.com, defender.microsoft.com, protection.office.com, purview.microsoft.com, security.microsoft.com 13.107.6.192/32, 13.107.9.192/32, 2620:1ec:4::192/128, 2620:1ec:a92::192/128 | TCP: 443 |
66 | Default Necessary | No | *.portal.cloudappsecurity.com | TCP: 443 |
68 | Default Optional Notes: Portal and sharing: 3rd party Office integration. (Including CDNs) | No | firstpartyapps.oaspapps.com, prod.firstpartyapps.oaspapps.com.akadns.net, telemetryservice.firstpartyapps.oaspapps.com, wus-firstpartyapps.oaspapps.com | TCP: 443 |
69 | Default Necessary | No | *.aria.microsoft.com, *.events.data.microsoft.com | TCP: 443 |
70 | Default Necessary | No | *.o365weve.com, amp.azure.net, appsforoffice.microsoft.com, assets.onestore.ms, auth.gfx.ms, c1.microsoft.com, dgps.support.microsoft.com, docs.microsoft.com, msdn.microsoft.com, platform.linkedin.com, prod.msocdn.com, shellprod.msocdn.com, support.microsoft.com, technet.microsoft.com | TCP: 443 |
71 | Default Necessary | No | *.office365.com | TCP: 443, 80 |
73 | Default Necessary | No | *.aadrm.com, *.azurerms.com, *.informationprotection.azure.com, ecn.dev.virtualearth.net, informationprotection.hosting.portal.azure.net | TCP: 443 |
75 | Default Optional Notes: Graph.windows.net, Office 365 Management Pack for Operations Manager, SecureScore, Azure AD Device Registration, Forms, StaffHub, Application Insights, captcha services | No | *.sharepointonline.com, dc.services.visualstudio.com, mem.gfx.ms, staffhub.ms, staffhubweb.azureedge.net | TCP: 443 |
78 | Default Optional Notes: Some Office 365 features require endpoints within these domains (including CDNs). As part of our efforts to remove or better clarify our guidance around these wildcards, several specific FQDNs that fall within these wildcards have recently been published. | No | *.microsoft.com, *.msocdn.com, *.onmicrosoft.com | TCP: 443, 80 |
79 | Default Necessary | No | o15.officeredir.microsoft.com, officepreviewredir.microsoft.com, officeredir.microsoft.com, r.office.microsoft.com | TCP: 443, 80 |
83 | Default Necessary | No | activation.sls.microsoft.com | TCP: 443 |
84 | Default Necessary | No | crl.microsoft.com | TCP: 443, 80 |
86 | Default Necessary | No | office15client.microsoft.com, officeclient.microsoft.com | TCP: 443 |
89 | Default Necessary | No | go.microsoft.com | TCP: 443, 80 |
91 | Default Necessary | No | ajax.aspnetcdn.com, cdn.odc.officeapps.live.com | TCP: 443, 80 |
92 | Default Necessary | No | officecdn.microsoft.com, officecdn.microsoft.com.edgesuite.net, otelrules.azureedge.net | TCP: 443, 80 |
93 | Default Optional Notes: ProPlus: helper URLs | No | *.virtualearth.net, c.bing.net, ocos-office365-s2s.msedge.net, tse1.mm.bing.net, www.bing.com | TCP: 443, 80 |
95 | Default Optional Notes: Outlook for Android and iOS | No | *.acompli.net, *.outlookmobile.com | TCP: 443 |
96 | Default Optional Notes: Outlook for Android and iOS: authentication | No | login.windows-ppe.net | TCP: 443 |
97 | Default Optional Notes: Outlook for Android and iOS: Consumer Outlook.com OneDrive integration | No | account.live.com, login.live.com | TCP: 443 |
105 | Default Optional Notes: Outlook for Android and iOS: Outlook Privacy | No | www.acompli.com | TCP: 443 |
114 | Default Optional Notes: Office Mobile URLs | No | *.appex-rf.msn.com, *.appex.bing.com, c.bing.com, c.live.com, d.docs.live.net, docs.live.net, partnerservices.getmicrosoftkey.com, signup.live.com | TCP: 443, 80 |
116 | Default Optional Notes: Office URLs for iPad | No | account.live.com, auth.gfx.ms, login.live.com | TCP: 443, 80 |
117 | Default Optional Notes: Yammer | No | *.yammer.com, *.yammerusercontent.com | TCP: 443 |
118 | Default Optional Notes: Yammer CDN | No | *.assets-yammer.com | TCP: 443 |
121 | Default Optional Notes: Planner: helper URLs | No | www.outlook.com | TCP: 443, 80 |
122 | Default Optional Notes: SWAY CDNs | No | eus-www.sway-cdn.com, eus-www.sway-extensions.com, wus-www.sway-cdn.com, wus-www.sway-extensions.com | TCP: 443 |
124 | Default Optional Notes: Sway | No | sway.com, www.sway.com | TCP: 443 |
125 | Default Necessary | No | *.entrust.net, *.geotrust.com, *.omniroot.com, *.public-trust.com, *.symcb.com, *.symcd.com, *.verisign.com, *.verisign.net, apps.identrust.com, cacerts.digicert.com, cert.int-x3.letsencrypt.org, crl.globalsign.com, crl.globalsign.net, crl.identrust.com, crl3.digicert.com, crl4.digicert.com, isrg.trustid.ocsp.identrust.com, mscrl.microsoft.com, ocsp.digicert.com, ocsp.globalsign.com, ocsp.msocsp.com, ocsp2.globalsign.com, ocspx.digicert.com, secure.globalsign.com, www.digicert.com, www.microsoft.com | TCP: 443, 80 |
126 | Default Optional Notes: Office Dictation features require a connection to the speech service. If the connection is not allowed, Dictation is disabled. | No | officespeech.platform.bing.com | TCP: 443 |
147 | Default Necessary | No | *.office.com, www.microsoft365.com | TCP: 443, 80 |
152 | Default Optional Notes: These endpoints enable the Office Scripts functionality in Office clients, available through the Automate tab, and the Python in Excel functionality, available through the Formulas tab. The Office Scripts feature can also be disabled through the Office 365 Admin portal. For admin controls for Python in Excel, see Data security in Excel and Python. | No | *.microsoftusercontent.com | TCP: 443 |
153 | Default Necessary | No | *.azure-apim.net, *.flow.microsoft.com, *.powerapps.com, *.powerautomate.com | TCP: 443 |
156 | Default Necessary | No | *.activity.windows.com, activity.windows.com | TCP: 443 |
158 | Default Necessary | No | *.cortana.ai | TCP: 443 |
159 | Default Necessary | No | admin.microsoft.com | TCP: 443, 80 |
160 | Default Necessary | No | cdn.odc.officeapps.live.com, cdn.uci.officeapps.live.com | TCP: 443, 80 |
184 | Default Necessary | No | *.cloud.microsoft, *.static.microsoft, *.usercontent.microsoft | TCP: 443, 80 |
One comment on “Microsoft 365 URLs and IP Address Lists”