Network endpoints for Microsoft Intune

This page lists IP addresses and port settings needed for proxy settings in your Intune deployments.

As a cloud-only service, Intune doesn't require on-premises infrastructure such as servers or gateways.

Access for managed devices

To manage devices behind firewalls and proxy servers, you must enable communication for Intune.

  • The proxy server must support both HTTP (80) and HTTPS (443) because Intune clients use both protocols. Windows Information Protection uses port 444.
  • For some tasks (like downloading software updates for the classic pc agent), Intune requires unauthenticated proxy server access to

You can modify proxy server settings on individual client computers. You can also use Group Policy settings to change settings for all client computers located behind a specified proxy server.

Managed devices require configurations that let All Users access services through firewalls.

The following tables list the ports and services that the Intune client accesses:

Domains IP address
More information Office 365 URLs and IP address ranges

Network requirements for PowerShell scripts and Win32 apps

If you're using Intune to deploy PowerShell scripts or Win32 apps, you'll also need to grant access to endpoints in which your tenant currently resides.

ASU Storage name CDN
AMSUA0601 prodmsua06data
AMSUA0602 prodamsua0602data
AMSUA0101 prodmsua01data
AMSUA0201 prodmsua02data
AMSUA0202 Prodmsua0202rcdata
AMSUA0401 prodmsua04data
AMSUA0402 Prodmsua0402rcdata
AMSUA0501 prodmsua05data
AMSUA0502 prodmsua0502data
AMSUB0101 prodmsub01data
AMSUB0102 prodamsub0102data
AMSUB0201 prodmsub02data
AMSUB0202 Prodmsub0202rcdata
AMSUB0301 Prodmsub03data2
AMSUB0302 Prodmsub0302rcdata
AMSUB0501 prodmsub05data
AMSUC0101 prodmsuc01data
AMSUC0201 prodmsuc02data
AMSUC0301 prodmsuc03data
AMSUC0501 prodmsuc05data
AMSUA0701 pemsua07rcdata

Windows Push Notification Services (WNS)

For Intune-managed Windows devices managed using Mobile Device Management (MDM), device actions and other immediate activities require the use of Windows Push Notification Services (WNS). For more information, see Allowing Windows Notification traffic through enterprise firewalls.

Delivery Optimization port requirements

Port requirements

For peer-to-peer traffic, Delivery Optimization uses 7680 for TCP/IP or 3544 for NAT traversal (optionally Teredo). For client-service communication, it uses HTTP or HTTPS over port 80/443.

Proxy requirements

To use Delivery Optimization, you must allow Byte Range requests. For more information, see Proxy requirements for Windows Update.

Firewall requirements

Allow the following hostnames through your firewall to support Delivery Optimization. For communication between clients and the Delivery Optimization cloud service:

  • *

For Delivery Optimization metadata:

  • *
  • *

Apple device network information

Used for Hostname (IP address/subnet) Protocol Port
Retrieving and displaying content from Apple servers
Communications with APNS servers
'#' is a random number from 0 to 50.
TCP 5223 and 443
Various functionalities including accessing the World Wide Web, iTunes store, macOS app store, iCloud, messaging, etc.
HTTP/HTTPS 80 or 443

For more information, see Apple's TCP and UDP ports used by Apple software products, About macOS, iOS, and iTunes server host connections and iTunes background processes, and If your macOS and iOS clients aren't getting Apple push notifications.