Other endpoints not included in the Office 365 IP Address and URL Web service

Some network endpoints were previously published and haven't been included in the Office 365 IP Address and URL Web Service. The web service publishes network endpoints that are required for Office 365 connectivity across an enterprise perimeter network. This scope currently doesn't include:

  1. Network connectivity that may be required from a Microsoft datacenter to a customer network (inbound hybrid server network traffic).
  2. Network connectivity from servers on a customer network across the enterprise perimeter (outbound server network traffic).
  3. Uncommon scenarios for network connectivity requirements from a user.
  4. DNS resolution connectivity requirement (not listed below).
  5. Internet Explorer or Microsoft Edge Trusted Sites.

Apart from DNS, these instances are all optional for most customers unless you need the specific scenario that is described.



Row Purpose Destination Type
1 Import Service for PST and file ingestion Refer to the Import Service for more requirements. Uncommon outbound scenario
2 Microsoft Support and Recovery Assistant for Office 365 https://autodiscover.outlook.com
https://officecdn.microsoft.com
https://api.diagnostics.office.com
https://apibasic.diagnostics.office.com
https://autodiscover-s.outlook.com
https://cloudcheckenabler.azurewebsites.net
https://login.live.com
https://login.microsoftonline.com
https://login.windows.net
https://o365diagtelemetry.trafficmanager.net
https://odc.officeapps.live.com
https://offcatedge.azureedge.net
https://officeapps.live.com
https://outlook.office365.com
https://outlookdiagnostics.azureedge.net
Outbound server traffic
3 Azure AD Connect (w/SSO option)

WinRM & remote PowerShell

Customer STS environment (AD FS Server and AD FS Proxy) | TCP ports 80 & 443 Inbound server traffic
4 STS such as AD FS Proxy server(s) (for federated customers only) Customer STS (such as AD FS Proxy) | Ports TCP 443 or TCP 49443 w/ClientTLS Inbound server traffic
5 Exchange Online Unified Messaging/SBC integration Bidirectional between on-premises Session Border Controller and *.um.outlook.com Outbound server-only traffic
6 Mailbox Migration

When mailbox migration is initiated from on-premises Exchange Hybrid to Office 365, Office 365 will connect to your published Exchange Web Services (EWS)/Mailbox Replication Services (MRS) server. If you need to allow inbound connections only from specific source IP ranges, create a permit rule for the IP addresses listed in the Exchange Online table in Office 365 URL & IP ranges.

To ensure that connectivity to published EWS endpoints (like OWA) is not blocked, make sure the MRS proxy resolves to a separate FQDN and public IP address before you restrict connections.

Customer on-premises EWS/MRS Proxy
TCP port 443
Inbound server traffic
7 Exchange Hybrid coexistence functions such as Free/Busy sharing. Customer on-premises Exchange server Inbound server traffic
8 Exchange Hybrid proxy authentication Customer on-premises STS Inbound server traffic
9 Used to configure Exchange Hybrid, using the Exchange Hybrid Configuration Wizard

Note: These endpoints are only required to configure Exchange hybrid

domains.live.com on TCP ports 80 & 443, only required for Exchange 2010 SP3 Hybrid Configuration Wizard

GCC High, DoD IP addresses: 40.118.209.192/32; 168.62.190.41/32

Worldwide Commercial & GCC: *.store.core.windows.net; asl.configure.office.com; tds.configure.office.com; mshybridservice.trafficmanager.net ;
aka.ms/hybridwizard;
shcwreleaseprod.blob.core.windows.net/shcw/*;

Outbound server-only traffic
10 The AutoDetect service is used in Exchange Hybrid scenarios with Hybrid Modern Authentication with Outlook for iOS and Android

<email_domain>.outlookmobile.com
<email_domain>.outlookmobile.us
52.125.128.0/20
52.127.96.0/23

Customer on-premises Exchange server on TCP 443 Inbound server traffic
11 Exchange hybrid Azure AD authentication *.msappproxy.net TCP outbound server-only traffic
12 Skype for Business in Office 2016 includes video based screen sharing, which uses UDP ports. Prior Skype for Business clients in Office 2013 and earlier used RDP over TCP port 443. TCP port 443 opens to 52.112.0.0/14 Skype for Business older client versions in Office 2013 and earlier
13 Skype for Business hybrid on-premises server connectivity to Skype for Business Online 13.107.64.0/18, 52.112.0.0/14
UDP ports 50,000-59,999
TCP ports 50,000-59,999; 5061
Skype for Business on-premises server outbound connectivity
14 Cloud PSTN with on-premises hybrid connectivity requires network connectivity open to the on-premises hosts. For more details about Skype for Business Online hybrid configurations See Plan hybrid connectivity between Skype for Business Server and Office 365 Skype for Business on-premises hybrid inbound
15 Authentication and identity FQDNs

The FQDN secure.aadcdn.microsoftonline-p.com needs to be in your client's Internet Explorer (IE) or Edge Trusted Sites Zone to function.

Trusted Sites
16 Microsoft Teams FQDNs

If you are using Internet Explorer or Microsoft Edge, you need to enable first and third-party cookies and add the FQDNs for Teams to your Trusted Sites. This is in addition to the suite-wide FQDNs, CDNs, and telemetry listed in row 14. See Known issues for Microsoft Teams for more information.

Trusted Sites
17 SharePoint Online and OneDrive for Business FQDNs

All '.sharepoint.com' FQDNs with '<tenant>' in the FQDN need to be in your client's IE or Edge Trusted Sites Zone to function. In addition to the suite-wide FQDNs, CDNs, and telemetry listed in row 14, you'll need to also add these endpoints.

Trusted Sites
18 Yammer
Yammer is only available in the browser and requires the authenticated user to be passed through a proxy. All Yammer FQDNs need to be in your client's IE or Edge Trusted Sites Zone to function.
Trusted Sites
19 Use Azure AD Connect to sync on-premises user accounts to Azure AD. See Hybrid Identity Required Ports and Protocols, Troubleshoot Azure AD connectivity, and Azure AD Connect Health Agent Installation. Outbound server-only traffic
20 Azure AD Connect with 21 ViaNet in China to sync on-premises user accounts to Azure AD. *.digicert.com:80
*.entrust.net:80
*.chinacloudapi.cn:443
secure.aadcdn.partner.microsoftonline-p.cn:443
*.partner.microsoftonline.cn:443

Also see Troubleshoot ingress with Azure AD connectivity issues.

Outbound server-only traffic
21 Microsoft Stream (needs the Azure AD user token).
Office 365 Worldwide (including GCC)
*.cloudapp.net
*.api.microsoftstream.com
*.notification.api.microsoftstream.com
amp.azure.net
api.microsoftstream.com
az416426.vo.msecnd.net
s0.assets-yammer.com
vortex.data.microsoft.com
web.microsoftstream.com
TCP port 443
Inbound server traffic
22 Use MFA server for multi-factor authentication requests, both new installations of the server and setting it up with Active Directory Domain Services (AD DS). See Getting started with the Azure AD multi-factor authentication Server. Outbound server-only traffic
23 Microsoft Graph Change Notifications

Developers can use change notifications to subscribe to events in the Microsoft Graph.

Public Cloud: 52.159.23.209, 52.159.17.84, 52.147.213.251, 52.147.213.181, 13.85.192.59, 13.85.192.123, 13.89.108.233, 13.89.104.147, 20.96.21.67, 20.69.245.215, 137.135.11.161, 137.135.11.116, 52.159.107.50, 52.159.107.4, 52.229.38.131, 52.183.67.212, 52.142.114.29, 52.142.115.31, 51.124.75.43, 51.124.73.177, 20.44.210.83, 20.44.210.146, 40.80.232.177, 40.80.232.118, 20.48.12.75, 20.48.11.201, 104.215.13.23, 104.215.6.169, 52.148.24.136, 52.148.27.39, 40.76.162.99, 40.76.162.42, 40.74.203.28, 40.74.203.27, 13.86.37.15, 52.154.246.238, 20.96.21.98, 20.96.21.115, 137.135.11.222, 137.135.11.250, 52.159.109.205, 52.159.102.72, 52.151.30.78, 52.191.173.85, 51.104.159.213, 51.104.159.181, 51.138.90.7, 51.138.90.52, 52.148.115.48, 52.148.114.238, 40.80.233.14, 40.80.239.196, 20.48.14.35, 20.48.15.147, 104.215.18.55, 104.215.12.254, 20.199.102.157, 20.199.102.73, 13.87.81.123, 13.87.81.35, 20.111.9.46, 20.111.9.77, 13.87.81.133, 13.87.81.141

Microsoft Cloud for US Government: 52.244.33.45, 52.244.35.174, 52.243.157.104, 52.243.157.105, 52.182.25.254, 52.182.25.110, 52.181.25.67, 52.181.25.66, 52.244.111.156, 52.244.111.170, 52.243.147.249, 52.243.148.19, 52.182.32.51, 52.182.32.143, 52.181.24.199, 52.181.24.220

Microsoft Cloud China operated by 21Vianet: 42.159.72.35, 42.159.72.47, 42.159.180.55, 42.159.180.56, 40.125.138.23, 40.125.136.69, 40.72.155.199, 40.72.155.216
TCP port 443

Note: Developers can specify different ports when creating the subscriptions.

Inbound server traffic
24 Network Connection Status Indicator

Used by Windows 10 and 11 to determine if the computer is connected to the internet (does not apply to non-Windows clients). When this URL cannot be reached, Windows will assume it is not connected to the Internet and M365 Apps for Enterprise will not try to verify activation status, causing connections to Exchange and other services to fail.

www.msftconnecttest.com
13.107.4.52

Also see Manage connection endpoints for Windows 11 Enterprise and Manage connection endpoints for Windows 10 Enterprise, version 21H2.

Outbound server-only traffic
25 Teams Notifications on Mobile Devices

Used by Android and Apple mobile devices to receive push notifications to the Teams client for incoming calls and other Teams services. When these ports are blocked, all push notifications to mobile devices will fail.

For specific ports, see FCM ports and your firewall in the Google Firebase documentation and If your Apple devices aren't getting Apple push notifications. Outbound server-only traffic

Managing Office 365 endpoints

Monitor Microsoft 365 connectivity

Client connectivity

Content delivery networks

Azure IP Ranges and Service Tags – Public Cloud

Azure IP Ranges and Service Tags – US Government Cloud

Azure IP Ranges and Service Tags – Germany Cloud

Azure IP Ranges and Service Tags – China Cloud

Microsoft Public IP Space