Network endpoints for Microsoft Intune

This page lists IP addresses and port settings needed for proxy settings in your Intune deployments.

As a cloud-only service, Intune doesn't require on-premises infrastructure such as servers or gateways.

Access for managed devices

To manage devices behind firewalls and proxy servers, you must enable communication for Intune.

  • The proxy server must support both HTTP (80) and HTTPS (443) because Intune clients use both protocols. Windows Information Protection uses port 444.
  • For some tasks (like downloading software updates for the classic pc agent), Intune requires unauthenticated proxy server access to manage.microsoft.com

You can modify proxy server settings on individual client computers. You can also use Group Policy settings to change settings for all client computers located behind a specified proxy server.

Managed devices require configurations that let All Users access services through firewalls.

The following tables list the ports and services that the Intune client accesses:

Domains IP address
login.microsoftonline.com
*.officeconfig.msocdn.com
config.office.com
graph.windows.net
More information Office 365 URLs and IP address ranges
portal.manage.microsoft.com
m.manage.microsoft.com
52.175.12.209
20.188.107.228
52.138.193.149
51.144.161.187
52.160.70.20
52.168.54.64
13.72.226.202
52.189.220.232
sts.manage.microsoft.com 13.93.223.241
52.170.32.182
52.164.224.159
52.174.178.4
13.75.122.143
52.163.120.84
13.73.112.122
52.237.192.112
Manage.microsoft.com
i.manage.microsoft.com
r.manage.microsoft.com
a.manage.microsoft.com
p.manage.microsoft.com
EnterpriseEnrollment.manage.microsoft.com
EnterpriseEnrollment-s.manage.microsoft.com
40.83.123.72
13.76.177.110
52.169.9.87
52.174.26.23
104.40.82.191
13.82.96.212
52.147.8.239
40.115.69.185
portal.fei.msua01.manage.microsoft.com
m.fei.msua01.manage.microsoft.com
portal.fei.msua02.manage.microsoft.com
m.fei.msua02.manage.microsoft.com
portal.fei.msua04.manage.microsoft.com
m.fei.msua04.manage.microsoft.com
portal.fei.msua05.manage.microsoft.com
m.fei.msua05.manage.microsoft.com
portal.fei.amsua0502.manage.microsoft.com
m.fei.amsua0502.manage.microsoft.com
portal.fei.msua06.manage.microsoft.com
m.fei.msua06.manage.microsoft.com
portal.fei.amsua0602.manage.microsoft.com
m.fei.amsua0602.manage.microsoft.com
fei.amsua0202.manage.microsoft.com
portal.fei.amsua0202.manage.microsoft.com
m.fei.amsua0202.manage.microsoft.com
portal.fei.amsua0402.manage.microsoft.com
m.fei.amsua0402.manage.microsoft.com
52.160.70.20
52.168.54.64
portal.fei.msub01.manage.microsoft.com
m.fei.msub01.manage.microsoft.com
portal.fei.amsub0102.manage.microsoft.com
m.fei.amsub0102.manage.microsoft.com
fei.msub02.manage.microsoft.com
portal.fei.msub02.manage.microsoft.com
m.fei.msub02.manage.microsoft.com
portal.fei.msub03.manage.microsoft.com
m.fei.msub03.manage.microsoft.com
portal.fei.msub05.manage.microsoft.com
m.fei.msub05.manage.microsoft.com
portal.fei.amsub0202.manage.microsoft.com
m.fei.amsub0202.manage.microsoft.com
portal.fei.amsub0302.manage.microsoft.com
m.fei.amsub0302.manage.microsoft.com
portal.fei.amsub0502.manage.microsoft.com
m.fei.amsub0502.manage.microsoft.com
52.138.193.149
51.144.161.187
portal.fei.msuc01.manage.microsoft.com
m.fei.msuc01.manage.microsoft.com
portal.fei.msuc02.manage.microsoft.com
m.fei.msuc02.manage.microsoft.com
portal.fei.msuc03.manage.microsoft.com
m.fei.msuc03.manage.microsoft.com
portal.fei.msuc05.manage.microsoft.com
m.fei.msuc05.manage.microsoft.com
52.175.12.209
20.188.107.228
portal.fei.amsud0101.manage.microsoft.com
m.fei.amsud0101.manage.microsoft.com
13.72.226.202
fef.msua01.manage.microsoft.com 138.91.243.97
fef.msua02.manage.microsoft.com 52.177.194.236
fef.msua04.manage.microsoft.com 23.96.112.28
fef.msua05.manage.microsoft.com 138.91.244.151
fef.msua06.manage.microsoft.com 13.78.185.97
fef.msua07.manage.microsoft.com 52.175.208.218
fef.msub01.manage.microsoft.com 137.135.128.214
fef.msub02.manage.microsoft.com 137.135.130.29
fef.msub03.manage.microsoft.com 52.169.82.238
fef.msub05.manage.microsoft.com 23.97.166.52
fef.msuc01.manage.microsoft.com 52.230.19.86
fef.msuc02.manage.microsoft.com 23.98.66.118
fef.msuc03.manage.microsoft.com 23.101.0.100
fef.msuc05.manage.microsoft.com 52.230.16.180
fef.amsua0202.manage.microsoft.com 52.165.165.17
fef.amsua0402.manage.microsoft.com 40.69.157.122
fef.amsua0502.manage.microsoft.com 13.85.68.142
fef.amsua0602.manage.microsoft.com 52.161.28.64
fef.amsub0102.manage.microsoft.com 40.118.98.207
fef.amsub0202.manage.microsoft.com 40.69.208.122
fef.amsub0302.manage.microsoft.com 13.74.145.65
enterpriseregistration.windows.net 52.175.211.189
fef.amsua0102.manage.microsoft.com 52.242.211.0
fef.amsua0702.manage.microsoft.com 52.232.225.75
fef.amsub0502.manage.microsoft.com 40.67.219.144
fef.msud01.manage.microsoft.com 20.40.178.139
Admin.manage.microsoft.com 52.224.221.227
52.161.162.117
52.178.44.195
52.138.206.56
52.230.21.208
13.75.125.10
wip.mam.manage.microsoft.com 52.187.76.84
13.76.5.121
52.165.160.237
40.86.82.163
52.233.168.142
168.63.101.57
52.187.196.98
52.237.196.51
mam.manage.microsoft.com 104.40.69.125
13.90.192.78
40.85.174.177
40.85.77.31
137.116.229.43
52.163.215.232
52.174.102.180
52.187.196.173
52.156.162.48
*.manage.microsoft.com 40.82.248.224/28
20.189.105.0/24
20.37.153.0/24
20.37.192.128/25
20.38.81.0/24
20.41.1.0/24
20.42.1.0/24
20.42.130.0/24
20.42.224.128/25
20.43.129.0/24
40.119.8.128/25
40.74.25.0/24
40.82.249.128/25
40.80.184.128/25
52.150.137.0/25

Network requirements for PowerShell scripts and Win32 apps

If you're using Intune to deploy PowerShell scripts or Win32 apps, you'll also need to grant access to endpoints in which your tenant currently resides.

ASU Storage name CDN
AMSUA0601 prodmsua06data https://prodmsua06data.azureedge.net
AMSUA0602 prodamsua0602data https://prodamsua0602data.azureedge.net
AMSUA0101 prodmsua01data https://prodmsua01data.azureedge.net
AMSUA0201 prodmsua02data https://prodmsua02data.azureedge.net
AMSUA0202 Prodmsua0202rcdata https://prodamsua0202data.azureedge.net/
AMSUA0401 prodmsua04data https://prodmsua04data.azureedge.net
AMSUA0402 Prodmsua0402rcdata https://prodamsua0402data.azureedge.net/
AMSUA0501 prodmsua05data https://prodmsua05data.azureedge.net
AMSUA0502 prodmsua0502data https://prodmsua0502data.azureedge.net
AMSUB0101 prodmsub01data https://prodmsub01data.azureedge.net
AMSUB0102 prodamsub0102data https://prodamsub0102data.azureedge.net
AMSUB0201 prodmsub02data https://prodmsub02data.azureedge.net
AMSUB0202 Prodmsub0202rcdata https://prodamsub0202data.azureedge.net
AMSUB0301 Prodmsub03data2 https://prodmsub03data2.azureedge.net
AMSUB0302 Prodmsub0302rcdata https://prodamsub0302data.azureedge.net
AMSUB0501 prodmsub05data https://prodmsub05data.azureedge.net
AMSUC0101 prodmsuc01data https://prodmsuc01data.azureedge.net
AMSUC0201 prodmsuc02data https://prodmsuc02data.azureedge.net
AMSUC0301 prodmsuc03data https://prodmsuc03data.azureedge.net
AMSUC0501 prodmsuc05data https://prodmsuc05data.azureedge.net
AMSUA0701 pemsua07rcdata https://pemsua07data.azureedge.net

Windows Push Notification Services (WNS)

For Intune-managed Windows devices managed using Mobile Device Management (MDM), device actions and other immediate activities require the use of Windows Push Notification Services (WNS). For more information, see Allowing Windows Notification traffic through enterprise firewalls.

Delivery Optimization port requirements

Port requirements

For peer-to-peer traffic, Delivery Optimization uses 7680 for TCP/IP or 3544 for NAT traversal (optionally Teredo). For client-service communication, it uses HTTP or HTTPS over port 80/443.

Proxy requirements

To use Delivery Optimization, you must allow Byte Range requests. For more information, see Proxy requirements for Windows Update.

Firewall requirements

Allow the following hostnames through your firewall to support Delivery Optimization. For communication between clients and the Delivery Optimization cloud service:

  • *.do.dsp.mp.microsoft.com

For Delivery Optimization metadata:

  • *.dl.delivery.mp.microsoft.com
  • *.emdl.ws.microsoft.com

Apple device network information

Used for Hostname (IP address/subnet) Protocol Port
Retrieving and displaying content from Apple servers itunes.apple.com
*.itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
*.phobos.itunes-apple.com.akadns.net
HTTP 80
Communications with APNS servers #-courier.push.apple.com
'#' is a random number from 0 to 50.
TCP 5223 and 443
Various functionalities including accessing the World Wide Web, iTunes store, macOS app store, iCloud, messaging, etc. phobos.apple.com
ocsp.apple.com
ax.itunes.apple.com
ax.itunes.apple.com.edgesuite.net
HTTP/HTTPS 80 or 443

For more information, see Apple's TCP and UDP ports used by Apple software products, About macOS, iOS, and iTunes server host connections and iTunes background processes, and If your macOS and iOS clients aren't getting Apple push notifications.