Microsoft 365 URLs and IP Address Lists

Microsoft 365 services require an internet connection to operate at full efficiency. Customers, especially those on plans like GCC, are required to provide access to certain endpoints.

Microsoft 365 Plans and Access Requirements: Microsoft 365 plans offer a variety of options that appeal to different customer groups. For example, Microsoft 365 Worldwide, Microsoft 21 services operated by 365 Vianet, US Government DoD, and GCC High plans, each with different security and access requirements.

Managing Endpoint Data: Endpoint data lists which IP addresses and URLs should be used from user machines to access Microsoft 365. This data is updated regularly each month and announced 30 days before new IP addresses or URLs become active. This allows system administrators to make necessary network configurations in a timely manner. Additional updates can be made throughout the month in cases of emergencies or situations that require security updates.

Endpoint data provided by Microsoft is generated from REST-based web services, and users can access this data via a script or network device.

Endpoint Categories: Microsoft 365 endpoints are classified into three primary workloads and common resources. This classification helps network administrators manage traffic flows for specific applications. However, because some endpoints are used by multiple workloads, these groups cannot be used effectively to limit access.

  • Kimlik: Each set of endpoints is assigned an ID number. This ID is the same as the ID returned by the web service.
  • Category: Endpoints are categorized as “Optimize,” “Allow,” or “Default.” Endpoints in the “Optimize” category are performance-critical. Those in the “Allow” category indicate that the connection is required. Endpoints in the “Default” category provide additional functionality but are not required.
  • ER (ExpressRoute): Indicates whether Microsoft 365 route prefixes are supported over Azure ExpressRoute. Endpoints marked “Yes” are supported over ExpressRoute. However, endpoints marked “No” do not benefit from this support.

IP Addresses and Ports: Endpoints connect to Microsoft 365 services using specific IP addresses and ports. These IP addresses are specified in CIDR format and cover a wide range of IP addresses. Ports can be TCP or UDP ports and vary depending on the type of endpoint.

Exchange Online URL and IP Address Lists

IDCategoryERAddressesPorts
1Optimize
Necessary
Yesoutlook.cloud.microsoft, outlook.office.com, outlook.office365.com
13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128
TCP: 443, 80
UDP: 443
2Allow me
Optional
Notes: POP3, IMAP4, SMTP Client traffic
Yesoutlook.office365.com, smtp.office365.com
13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128
TCP: 587, 993, 995, 143
8Default
Necessary
No*.outlook.com, autodiscover.<tenant>.onmicrosoft.comTCP: 443, 80
9Allow me
Necessary
Yes*.protection.outlook.com
40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 52.238.78.88/32, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48
TCP: 443
10Allow me
Necessary
Yes*.mail.protection.outlook.com, *.mx.microsoft
40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48
TCP: 25

SharePoint Online and OneDrive Business URL and IP Address Lists

IDCategoryERAddressesPorts
31Optimize
Necessary
Yes*.sharepoint.com
13.107.136.0/22, 40.108.128.0/17, 52.104.0.0/14, 104.146.128.0/17, 150.171.40.0/22, 2603:1061:1300::/40, 2620:1ec:8f8::/46, 2620:1ec:908::/46, 2a01:111:f402::/48
TCP: 443, 80
32Default
Optional
Notes: OneDrive for Business: Supportability, telemetry, APIs, and email links with attachments
Nossw.live.com, storage.live.comTCP: 443
33Default
Optional
Notes: SharePoint Hybrid Search – Endpoint for SearchContentService where the hybrid explorer streams documents
No*.search.production.apac.trafficmanager.net, *.search.production.emea.trafficmanager.net, *.search.production.us.trafficmanager.netTCP: 443
35Default
Necessary
No*.wns.windows.com, admin.onedrive.com, officeclient.microsoft.comTCP: 443, 80
36Default
Necessary
Nog.live.com, oneclient.sfx.msTCP: 443, 80
37Default
Necessary
No*.sharepointonline.com, spoprod-a.akamaihd.netTCP: 443, 80
39Default
Necessary
No*.svc.msTCP: 443, 80

Microsoft Teams URL and IP Address Lists

IDCategoryERAddressesPorts
11Optimize
Necessary
Yes52.112.0.0/14, 52.122.0.0/15, 2603:1063::/38UDP: 3478, 3479, 3480, 3481
12Allow me
Necessary
Yes*.lync.com, *.teams.cloud.microsoft, *.teams.microsoft.com, teams.cloud.microsoft, teams.microsoft.com
52.112.0.0/14, 52.122.0.0/15, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2603:1063::/38, 2620:1ec:6::/48, 2620:1ec:40::/42
TCP: 443, 80
16Default
Necessary
No*.keydelivery.mediaservices.windows.net, *.streaming.mediaservices.windows.net, mlccdn.blob.core.windows.netTCP: 443
17Default
Necessary
Noaka.msTCP: 443
18Default
Optional
Notes:Federation with Skype and public instant messaging: Get contact picture
No*.users.storage.live.comTCP: 443
19Default
Optional
Notes: Only applicable to those deploying Conference Room Systems
Noadl.windows.comTCP: 443, 80
27Default
Necessary
No*.secure.skypeassets.com, mlccdnprod.azureedge.netTCP: 443
127Default
Necessary
No*.skype.comTCP: 443, 80
180Default
Necessary
Nocompass-ssl.microsoft.comTCP: 443

Microsoft 365 Public and Office Online URL and IP Address Lists

IDCategoryERAddressesPorts
46Allow me
Necessary
Yes*.officeapps.live.com, *.online.office.com, office.live.com
13.107.6.171/32, 13.107.18.15/32, 13.107.140.6/32, 52.108.0.0/14, 52.244.37.168/32, 2603:1006:1400::/40, 2603:1016:2400::/40, 2603:1026:2400::/40, 2603:1036:2400::/40, 2603:1046:1400::/40, 2603:1056:1400::/40, 2603:1063:2000::/38, 2620:1ec:c::15/128, 2620:1ec:8fc::6/128, 2620:1ec:a92::171/128, 2a01:111:f100:2000::a83e:3019/128, 2a01:111:f100:2002::8975:2d79/128, 2a01:111:f100:2002::8975:2da8/128, 2a01:111:f100:7000::6fdd:6cd5/128, 2a01:111:f100:a004::bfeb:88cf/128
TCP: 443, 80
47Default
Necessary
No*.office.netTCP: 443, 80
49Default
Necessary
No*.onenote.comTCP: 443
50Default
Optional
Notes: OneNote notebooks (wildcards)
No*.microsoft.comTCP: 443
51Default
Necessary
No*cdn.onenote.netTCP: 443
53Default
Necessary
Noajax.aspnetcdn.com, apis.live.net, officeapps.live.com, www.onedrive.comTCP: 443
56Allow me
Necessary
Yes*.auth.microsoft.com, *.msftidentity.com, *.msidentity.com, account.activedirectory.windowsazure.com, accounts.accesscontrol.windows.net, adminwebservice.microsoftonline.com, api.passwordreset.microsoftonline.com, autologon.microsoftazuread-sso.com, becws.microsoftonline.com, ccs.login.microsoftonline.com, clientconfig.microsoftonline-p.net, companymanager.microsoftonline.com, device.login.microsoftonline.com, graph.microsoft.com, graph.windows.net, login-us.microsoftonline.com, login.microsoft.com, login.microsoftonline-p.com, login.microsoftonline.com, login.windows.net, logincert.microsoftonline.com, loginex.microsoftonline.com, nexus.microsoftonline-p.com, passwordreset.microsoftonline.com, provisioningapi.microsoftonline.com
20.20.32.0/19, 20.190.128.0/18, 20.231.128.0/19, 40.126.0.0/18, 2603:1006:2000::/48, 2603:1007:200::/48, 2603:1016:1400::/48, 2603:1017::/48, 2603:1026:3000::/48, 2603:1027:1::/48, 2603:1036:3000::/48, 2603:1037:1::/48, 2603:1046:2000::/48, 2603:1047:1::/48, 2603:1056:2000::/48, 2603:1057:2::/48
TCP: 443, 80
59Default
Necessary
No*.hip.live.com, *.microsoftonline-p.com, *.microsoftonline.com, *.msauth.net, *.msauthimages.net, *.msecnd.net, *.msftauth.net, *.msftauthimages.net, *.phonefactor.net, enterpriseregistration.windows.net, policykeyservice.dc.ad.msft.netTCP: 443, 80
64Allow me
Necessary
Yes*.protection.office.com, *.security.microsoft.com, compliance.microsoft.com, defender.microsoft.com, protection.office.com, purview.microsoft.com, security.microsoft.com
13.107.6.192/32, 13.107.9.192/32, 2620:1ec:4::192/128, 2620:1ec:a92::192/128
TCP: 443
66Default
Necessary
No*.portal.cloudappsecurity.comTCP: 443
68Default
Optional
Notes: Portal and sharing: 3rd party Office integration. (Including CDNs)
Nofirstpartyapps.oaspapps.com, prod.firstpartyapps.oaspapps.com.akadns.net, telemetryservice.firstpartyapps.oaspapps.com, wus-firstpartyapps.oaspapps.comTCP: 443
69Default
Necessary
No*.aria.microsoft.com, *.events.data.microsoft.comTCP: 443
70Default
Necessary
No*.o365weve.com, amp.azure.net, appsforoffice.microsoft.com, assets.onestore.ms, auth.gfx.ms, c1.microsoft.com, dgps.support.microsoft.com, docs.microsoft.com, msdn.microsoft.com, platform.linkedin.com, prod.msocdn.com, shellprod.msocdn.com, support.microsoft.com, technet.microsoft.comTCP: 443
71Default
Necessary
No*.office365.comTCP: 443, 80
73Default
Necessary
No*.aadrm.com, *.azurerms.com, *.informationprotection.azure.com, ecn.dev.virtualearth.net, informationprotection.hosting.portal.azure.netTCP: 443
75Default
Optional
Notes: Graph.windows.net, Office 365 Management Pack for Operations Manager, SecureScore, Azure AD Device Registration, Forms, StaffHub, Application Insights, captcha services
No*.sharepointonline.com, dc.services.visualstudio.com, mem.gfx.ms, staffhub.ms, staffhubweb.azureedge.netTCP: 443
78Default
Optional
Notes: Some Office 365 features require endpoints within these domains (including CDNs). As part of our efforts to remove or better clarify our guidance around these wildcards, several specific FQDNs that fall within these wildcards have recently been published.
No*.microsoft.com, *.msocdn.com, *.onmicrosoft.comTCP: 443, 80
79Default
Necessary
Noo15.officeredir.microsoft.com, officepreviewredir.microsoft.com, officeredir.microsoft.com, r.office.microsoft.comTCP: 443, 80
83Default
Necessary
Noactivation.sls.microsoft.comTCP: 443
84Default
Necessary
Nocrl.microsoft.comTCP: 443, 80
86Default
Necessary
Nooffice15client.microsoft.com, officeclient.microsoft.comTCP: 443
89Default
Necessary
Nogo.microsoft.comTCP: 443, 80
91Default
Necessary
Noajax.aspnetcdn.com, cdn.odc.officeapps.live.comTCP: 443, 80
92Default
Necessary
Noofficecdn.microsoft.com, officecdn.microsoft.com.edgesuite.net, otelrules.azureedge.netTCP: 443, 80
93Default
Optional
Notes: ProPlus: helper URLs
No*.virtualearth.net, c.bing.net, ocos-office365-s2s.msedge.net, tse1.mm.bing.net, www.bing.comTCP: 443, 80
95Default
Optional
Notes: Outlook for Android and iOS
No*.acompli.net, *.outlookmobile.comTCP: 443
96Default
Optional
Notes: Outlook for Android and iOS: authentication
Nologin.windows-ppe.netTCP: 443
97Default
Optional
Notes: Outlook for Android and iOS: Consumer Outlook.com OneDrive integration
Noaccount.live.com, login.live.comTCP: 443
105Default
Optional
Notes: Outlook for Android and iOS: Outlook Privacy
Nowww.acompli.comTCP: 443
114Default
Optional
Notes: Office Mobile URLs
No*.appex-rf.msn.com, *.appex.bing.com, c.bing.com, c.live.com, d.docs.live.net, docs.live.net, partnerservices.getmicrosoftkey.com, signup.live.comTCP: 443, 80
116Default
Optional
Notes: Office URLs for iPad
Noaccount.live.com, auth.gfx.ms, login.live.comTCP: 443, 80
117Default
Optional
Notes: Yammer
No*.yammer.com, *.yammerusercontent.comTCP: 443
118Default
Optional
Notes: Yammer CDN
No*.assets-yammer.comTCP: 443
121Default
Optional
Notes: Planner: helper URLs
Nowww.outlook.comTCP: 443, 80
122Default
Optional
Notes: SWAY CDNs
Noeus-www.sway-cdn.com, eus-www.sway-extensions.com, wus-www.sway-cdn.com, wus-www.sway-extensions.comTCP: 443
124Default
Optional
Notes: Sway
Nosway.com, www.sway.comTCP: 443
125Default
Necessary
No*.entrust.net, *.geotrust.com, *.omniroot.com, *.public-trust.com, *.symcb.com, *.symcd.com, *.verisign.com, *.verisign.net, apps.identrust.com, cacerts.digicert.com, cert.int-x3.letsencrypt.org, crl.globalsign.com, crl.globalsign.net, crl.identrust.com, crl3.digicert.com, crl4.digicert.com, isrg.trustid.ocsp.identrust.com, mscrl.microsoft.com, ocsp.digicert.com, ocsp.globalsign.com, ocsp.msocsp.com, ocsp2.globalsign.com, ocspx.digicert.com, secure.globalsign.com, www.digicert.com, www.microsoft.comTCP: 443, 80
126Default
Optional
Notes: Office Dictation features require a connection to the speech service. If the connection is not allowed, Dictation is disabled.
Noofficespeech.platform.bing.comTCP: 443
147Default
Necessary
No*.office.com, www.microsoft365.comTCP: 443, 80
152Default
Optional
Notes: These endpoints enable the Office Scripts functionality in Office clients, available through the Automate tab, and the Python in Excel functionality, available through the Formulas tab. The Office Scripts feature can also be disabled through the Office 365 Admin portal. For admin controls for Python in Excel, see Data security in Excel and Python.
No*.microsoftusercontent.comTCP: 443
153Default
Necessary
No*.azure-apim.net, *.flow.microsoft.com, *.powerapps.com, *.powerautomate.comTCP: 443
156Default
Necessary
No*.activity.windows.com, activity.windows.comTCP: 443
158Default
Necessary
No*.cortana.aiTCP: 443
159Default
Necessary
Noadmin.microsoft.comTCP: 443, 80
160Default
Necessary
Nocdn.odc.officeapps.live.com, cdn.uci.officeapps.live.comTCP: 443, 80
184Default
Necessary
No*.cloud.microsoft, *.static.microsoft, *.usercontent.microsoftTCP: 443, 80

One comment on “Microsoft 365 URLs and IP Address Lists”

Comment