Additional endpoints not included in the Office 365 IP Address and URL Web service

Some network endpoints were previously published and have not been included in the Office 365 IP Address and URL Web Service. The web service scope is network endpoints that are required for connectivity from a user of Office 365 across an enterprise perimeter network. This currently does not include:

  1. Network connectivity that may be required from a Microsoft datacenter to a customer network (inbound hybrid server network traffic).
  2. Network connectivity from servers on a customer network across the enterprise perimeter (outbound server network traffic).
  3. Uncommon scenarios for network connectivity requirements from a user.
  4. DNS resolution connectivity requirement (not listed below).
  5. Internet Explorer or Microsoft Edge Trusted Sites.

Apart from DNS, these are all optional for most customers unless you need the specific scenario that is described.

Row Purpose Destination Type
1 Import Service for PST and file ingestion Refer to the Import Service for additional requirements. Uncommon outbound scenario
2 Microsoft Support and Recovery Assistant for Office 365
Outbound server traffic
3 Azure AD Connect (w/SSO option) – WinRM & remote PowerShell Customer STS environment (AD FS Server and AD FS Proxy) | TCP ports 80 & 443 Inbound server traffic
4 STS such as AD FS Proxy server(s) (for federated customers only) Customer STS (such as AD FS Proxy) | Ports TCP 443 or TCP 49443 w/ClientTLS Inbound server traffic
5 Exchange Online Unified Messaging/SBC integration Bidirectional between on-premises Session Border Controller and * Outbound server only traffic
6 Mailbox Migration. When mailbox migration is initiated from on-premises Exchange Hybrid to Office 365, Office 365 will connect to your published Exchange Web Services (EWS)/Mailbox Replication Services (MRS) server. If you need the NAT IP addresses used by Exchange Online servers to restrict inbound connections from specific source IP ranges, they are listed in Office 365 URL & IP ranges under the "Exchange Online" service area.

Care should be taken to ensure that access to published EWS endpoints like OWA is not impacted by ensuring the MRS proxy resolves to a separate FQDN and public IP address before restricting TCP 443 connections from specific source IP ranges.

Customer on-premises EWS/MRS Proxy
TCP port 443
Inbound server traffic
7 Exchange Hybrid co-existence functions such as Free/Busy sharing. Customer on-premises Exchange server Inbound server traffic
8 Exchange Hybrid proxy authentication Customer on-premises STS Inbound server traffic
9 Used to configure Exchange Hybrid, using the Exchange Hybrid Configuration Wizard

Note: These endpoints are only required to configure Exchange hybrid on TCP ports 80 & 443, only required for Exchange 2010 SP3 Hybrid Configuration Wizard

GCC High, DoD IP addresses:;

Worldwide Commercial & GCC: *;;; ;;*;

Outbound server only traffic
10 The AutoDetect service is used in Exchange Hybrid scenarios with Hybrid Modern Authentication with Outlook for iOS and Android


Customer on-premises Exchange server on TCP 443 Inbound server traffic
11 Exchange hybrid Azure AD authentication * TCP outbound server only traffic
12 Skype for Business in Office 2016 includes video based screen sharing which uses UDP ports. Prior Skype for Business clients in Office 2013 and earlier used RDP over TCP port 443. TCP port 443 open to Skype for Business older client versions in Office 2013 and earlier
13 Skype for Business hybrid on-premises server connectivity to Skype for Business Online,
UDP ports 50,000-59,999
TCP ports 50,000-59,999; 5061
Skype for Business on-premises server outbound connectivity
14 Cloud PSTN with on-premises hybrid connectivity requires network connectivity open to the on-premises hosts. For more details about Skype for Business Online hybrid configurations See Plan hybrid connectivity between Skype for Business Server and Office 365 Skype for Business on-premises hybrid inbound
15 Authentication and identity FQDNs

The FQDN needs to be in your client's Internet Explorer (IE) or Edge Trusted Sites Zone to function.

Trusted Sites
16 Microsoft Teams FQDNs

If you are using Internet Explorer or Microsoft Edge, you need to enable first and third-party cookies and add the FQDNs for Teams to your Trusted Sites. This is in addition to the suite-wide FQDNs, CDNs, and telemetry listed in row 14. See Known issues for Microsoft Teams for more information.

Trusted Sites
17 SharePoint Online and OneDrive for Business FQDNs

All '' FQDNs with '<tenant>' in the FQDN need to be in your client's IE or Edge Trusted Sites Zone to function. In addition to the suite-wide FQDNs, CDNs, and telemetry listed in row 14, you'll need to also add these endpoints.

Trusted Sites
18 Yammer
Yammer is only available in the browser and requires the authenticated user to be passed through a proxy. All Yammer FQDNs need to be in your client's IE or Edge Trusted Sites Zone to function.
Trusted Sites
19 Use Azure AD Connect to sync on-premises user accounts to Azure AD. See Hybrid Identity Required Ports and Protocols, Troubleshoot Azure AD connectivity, and Azure AD Connect Health Agent Installation. Outbound server only traffic
20 Azure AD Connect with 21 ViaNet in China to sync on-premises user accounts to Azure AD. *

Also see Troubleshoot ingress with Azure AD connectivity issues.

Outbound server only traffic
21 Microsoft Stream (needs the Azure AD user token).
Office 365 Worldwide (including GCC)
TCP port 443
Inbound server traffic
22 Use MFA server for multifactor authentication requests, both new installations of the server and setting it up with Active Directory Domain Services (AD DS). See Getting started with the Azure AD Multi-Factor Authentication Server. Outbound server only traffic
23 Microsoft Graph Change Notifications

Developers can leverage change notifications to subscribe to events in the Microsoft Graph.

Public Cloud:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Microsoft Cloud for US Government:,,,,,,,,,,,,,,,

Microsoft Cloud China operated by 21Vianet:,,,,,,,
TCP port 443

Note: Developers can specify different ports when creating the subscriptions.

Inbound server traffic

Managing Office 365 endpoints

Monitor Microsoft 365 connectivity

Client connectivity

Content delivery networks

Azure IP Ranges and Service Tags – Public Cloud

Azure IP Ranges and Service Tags – US Government Cloud

Azure IP Ranges and Service Tags – Germany Cloud

Azure IP Ranges and Service Tags – China Cloud

Microsoft Public IP Space