Additional endpoints not included in the Office 365 IP Address and URL Web service

Some network endpoints were previously published and have not been included in the Office 365 IP Address and URL Web Service. The web service scope is network endpoints that are required for connectivity from a user of Office 365 across an enterprise perimeter network. This currently does not include:

  1. Network connectivity that may be required from a Microsoft datacenter to a customer network (inbound hybrid server network traffic).
  2. Network connectivity from servers on a customer network across the enterprise perimeter (outbound server network traffic).
  3. Uncommon scenarios for network connectivity requirements from a user.
  4. DNS resolution connectivity requirement (not listed below).
  5. Internet Explorer or Microsoft Edge Trusted Sites.

Apart from DNS, these are all optional for most customers unless you need the specific scenario that is described.

Row Purpose Destination Type
1 Import Service for PST and file ingestion Refer to the Import Service for additional requirements. Uncommon outbound scenario
2 Microsoft Support and Recovery Assistant for Office 365 - validate single sign-on user credentials. Source:
o365diagnosticsbasic-eus.cloudapp.net (104.211.54.99)
o365diagnosticworker-eus.cloudapp.net (104.211.54.134)
On-premises security token service Inbound server traffic
3 Azure AD Connect (w/SSO option) – WinRM & remote PowerShell Customer STS environment (AD FS Server and AD FS Proxy) | TCP ports 80 & 443 Inbound server traffic
4 STS such as AD FS Proxy server(s) (for federated customers only) Customer STS (such as AD FS Proxy) | Ports TCP 443 or TCP 49443 w/ClientTLS Inbound server traffic
5 Exchange Online Unified Messaging/SBC integration Bidirectional between on-premises Session Border Controller and *.um.outlook.com Outbound server only traffic
6 Mailbox Migration. When mailbox migration is initiated from on-premises Exchange Hybrid to Office 365, Office 365 will connect to your published Exchange Web Services (EWS)/Mailbox Replication Services (MRS) server. If you need the NAT IP addresses used by Exchange Online servers to restrict inbound connections from specific source IP ranges, they are listed in Office 365 URL & IP ranges under the "Exchange Online" service area. Care should be taken to ensure that access to published EWS endpoints like OWA is not impacted by ensuring the MRS proxy resolves to a separate FQDN and public IP address before restricting TCP 443 connections from specific source IP ranges. Customer on-premises EWS/MRS Proxy
TCP port 443
Inbound server traffic
7 Exchange Hybrid co-existence functions such as Free/Busy sharing. Customer on-premises Exchange server Inbound server traffic
8 Exchange Hybrid proxy authentication Customer on-premises STS Inbound server traffic
9 Used to configure Exchange Hybrid, using the Exchange Hybrid Configuration Wizard.
Note: These endpoints are only required to configure Exchange hybrid
domains.live.com on TCP ports 80 & 443, only required for Exchange 2010 SP3 Hybrid Configuration Wizard. Outbound server only traffic
10 The AutoDetect service is used in Exchange Hybrid scenarios with Hybrid Modern Authentication with Outlook for iOS and Android

*.acompli.net

*.outlookmobile.com

*.outlookmobile.us

52.125.128.0/20
52.127.96.0/23
Customer on-premises Exchange server on TCP 443 Inbound server traffic
11 Skype for Business in Office 2016 includes video based screen sharing which uses UDP ports. Prior Skype for Business clients in Office 2013 and earlier used RDP over TCP port 443. TCP port 443 open to 52.112.0.0/14 Skype for Business older client versions in Office 2013 and earlier
12 Skype for Business hybrid on-premises server connectivity to Skype for Business Online 13.107.64.0/18, 52.112.0.0/14 UDP ports 50,000-59,999
TCP ports 50,000-59,999
Skype for Business on-premises server outbound connectivity
13 Cloud PSTN with on-premises hybrid connectivity requires network connectivity open to the on-premises hosts. For more details about Skype for Business Online hybrid configurations See Skype for Business Hybrid Solution Skype for Business on-premises hybrid inbound
14 Authentication and identity FQDNs
The FQDN secure.aadcdn.microsoftonline-p.com needs to be in your client's Internet Explorer (IE) or Edge Trusted Sites Zone to function.
Trusted Sites
15 Microsoft Teams FQDNs
If you are using Internet Explorer or Microsoft Edge, you need to enable first and third-party cookies and add the FQDNs for Teams to your Trusted Sites. This is in addition to the suite-wide FQDNs, CDNs, and telemetry listed above. See Known issues for Microsoft Teams for more information.
Trusted Sites
16 SharePoint Online and OneDrive for Business FQDNs
All '.sharepoint.com' FQDNs with '<tenant>' in the FQDN need to be in your client's IE or Edge Trusted Sites Zone to function. In addition to the suite-wide FQDNs, CDNs, and telemetry listed above, you'll need to also add these endpoints.
Trusted Sites
17 Yammer
Yammer is only available in the browser and requires the authenticated user to be passed through a proxy. All Yammer FQDNs need to be in your client's IE or Edge Trusted Sites Zone to function.
Trusted Sites

Managing Office 365 endpoints

Troubleshooting Office 365 connectivity

Client connectivity

Content delivery networks

Microsoft Azure Datacenter IP Ranges

Microsoft Public IP Space