Additional endpoints not included in the Office 365 IP Address and URL Web service
Some network endpoints were previously published and have not been included in the Office 365 IP Address and URL Web Service. The web service scope is network endpoints that are required for connectivity from a user of Office 365 across an enterprise perimeter network. This currently does not include:
- Network connectivity that may be required from a Microsoft datacenter to a customer network (inbound hybrid server network traffic).
- Network connectivity from servers on a customer network across the enterprise perimeter (outbound server network traffic).
- Uncommon scenarios for network connectivity requirements from a user.
- DNS resolution connectivity requirement (not listed below).
- Internet Explorer or Microsoft Edge Trusted Sites.
Apart from DNS, these are all optional for most customers unless you need the specific scenario that is described.
|1||Import Service for PST and file ingestion||Refer to the Import Service for additional requirements.||Uncommon outbound scenario|
|2||Microsoft Support and Recovery Assistant for Office 365 - validate single sign-on user credentials. Source:
||On-premises security token service||Inbound server traffic|
|3||Azure AD Connect (w/SSO option) – WinRM & remote PowerShell||Customer STS environment (AD FS Server and AD FS Proxy) | TCP ports 80 & 443||Inbound server traffic|
|4||STS such as AD FS Proxy server(s) (for federated customers only)||Customer STS (such as AD FS Proxy) | Ports TCP 443 or TCP 49443 w/ClientTLS||Inbound server traffic|
|5||Exchange Online Unified Messaging/SBC integration||Bidirectional between on-premises Session Border Controller and *.um.outlook.com||Outbound server only traffic|
|6||Mailbox Migration. When mailbox migration is initiated from on-premises Exchange Hybrid to Office 365, Office 365 will connect to your published Exchange Web Services (EWS)/Mailbox Replication Services (MRS) server. If you need the NAT IP addresses used by Exchange Online servers to restrict inbound connections from specific source IP ranges, they are listed in Office 365 URL & IP ranges under the "Exchange Online" service area. Care should be taken to ensure that access to published EWS endpoints like OWA is not impacted by ensuring the MRS proxy resolves to a separate FQDN and public IP address before restricting TCP 443 connections from specific source IP ranges.||Customer on-premises EWS/MRS Proxy
TCP port 443
|Inbound server traffic|
|7||Exchange Hybrid co-existence functions such as Free/Busy sharing.||Customer on-premises Exchange server||Inbound server traffic|
|8||Exchange Hybrid proxy authentication||Customer on-premises STS||Inbound server traffic|
|9||Used to configure Exchange Hybrid, using the Exchange Hybrid Configuration Wizard
Note: These endpoints are only required to configure Exchange hybrid
|domains.live.com on TCP ports 80 & 443, only required for Exchange 2010 SP3 Hybrid Configuration Wizard
GCC High, DoD IP addresses: 18.104.22.168/32; 22.214.171.124/32
Worldwide Commercial & GCC: *.store.core.windows.net; asl.configure.office.com; mshrcstorageprod.blob.core.windows.net; tds.configure.office.com; mshybridservice.trafficmanager.net
|Outbound server only traffic|
|10||The AutoDetect service is used in Exchange Hybrid scenarios with Hybrid Modern Authentication with Outlook for iOS and Android
||Customer on-premises Exchange server on TCP 443||Inbound server traffic|
|11||Skype for Business in Office 2016 includes video based screen sharing which uses UDP ports. Prior Skype for Business clients in Office 2013 and earlier used RDP over TCP port 443.||TCP port 443 open to 126.96.36.199/14||Skype for Business older client versions in Office 2013 and earlier|
|12||Skype for Business hybrid on-premises server connectivity to Skype for Business Online||188.8.131.52/18, 184.108.40.206/14
UDP ports 50,000-59,999
TCP ports 50,000-59,999; 5061
|Skype for Business on-premises server outbound connectivity|
|13||Cloud PSTN with on-premises hybrid connectivity requires network connectivity open to the on-premises hosts. For more details about Skype for Business Online hybrid configurations||See Plan hybrid connectivity between Skype for Business Server and Office 365||Skype for Business on-premises hybrid inbound|
|14||Authentication and identity FQDNs
|15||Microsoft Teams FQDNs
If you are using Internet Explorer or Microsoft Edge, you need to enable first and third-party cookies and add the FQDNs for Teams to your Trusted Sites. This is in addition to the suite-wide FQDNs, CDNs, and telemetry listed in row 14. See Known issues for Microsoft Teams for more information.
|16||SharePoint Online and OneDrive for Business FQDNs
All '.sharepoint.com' FQDNs with '<tenant>' in the FQDN need to be in your client's IE or Edge Trusted Sites Zone to function. In addition to the suite-wide FQDNs, CDNs, and telemetry listed in row 14, you'll need to also add these endpoints.
Yammer is only available in the browser and requires the authenticated user to be passed through a proxy. All Yammer FQDNs need to be in your client's IE or Edge Trusted Sites Zone to function.
|18||Use Azure AD Connect to sync on-premises user accounts to Azure AD.||See Hybrid Identity Required Ports and Protocols, Troubleshoot Azure AD connectivity, and Azure AD Connect Health Agent Installation.||Outbound server only traffic|
|19||Microsoft Stream (needs the Azure AD user token).
Office 365 Worldwide (including GCC)
TCP port 443
|Inbound server traffic|
|20||Use MFA server for multifactor authentication requests, both new installations of the server and setting it up with Active Directory Domain Services (AD DS).||See Getting started with the Azure Multi-Factor Authentication Server.||Outbound server only traffic|