Office 365 U.S. Government DoD endpoints

Applies To: Office 365 Admin

Summary: Office 365 requires connectivity to the Internet. The endpoints below should be reachable for customers using Office 365 U.S. Government DoD plans only.

Note

Microsoft has released a REST-based web service for the IP address and FQDN entries on this page. This new service will help you configure and update network perimeter devices such as firewalls and proxy servers. You can download the list of endpoints, the current version of the list, or specific changes. This service replaces the XML document linked from this page, which was deprecated on October 2, 2018. To try out this new service, go to Web service.

Office 365 endpoints: Worldwide (including GCC) | Office 365 operated by 21 Vianet | Office 365 Germany | Office 365 U.S. Government DoD | Office 365 U.S. Government GCC High |

Last updated: 10/1/2018 - RSS Change Log subscription
Download: the full list in JSON format

Start with Managing Office 365 endpoints to understand our recommendations for managing network connectivity using this data. Endpoints data is updated at the beginning of each month with new IP Addresses and URLs published 30 days in advance of being active. This allows for customers who do not yet have automated updates to complete their processes before new connectivity is required. Endpoints may also be updated during the month if needed to address support escalations, security incidents, or other immediate operational requirements. The data shown on this page below is all generated from the REST-based web services. If you are using a script or a network device to access this data, you should go to the Web service directly.

Endpoint data below lists requirements for connectivity from a user’s machine to Office 365. It does not include network connections from Microsoft into a customer network, sometimes called hybrid or inbound network connections.

The endpoints are grouped into four service areas. The first three service areas can be independently selected for connectivity. The fourth service area is a common dependency (called Microsoft 365 Common and Office Online) and must always have network connectivity.

Data columns shown are:

  • ID: The ID number of the row, also known as an endpoint set. This ID is the same as is returned by the web service for the endpoint set.

  • Category: Shows whether the endpoint set is categorized as “Optimize”, “Allow”, or “Default”. You can read about these categories and guidance for management of them at http://aka.ms/pnc. This column also lists which endpoint sets are required to have network connectivity. For endpoint sets which are not required to have network connectivity, we provide notes in this field to indicate what functionality would be missing if the endpoint set is blocked. If you are excluding an entire service area, the endpoint sets listed as required do not require connectivity.

  • ER: This is Yes if the endpoint set is supported over Azure ExpressRoute with Office 365 route prefixes. The BGP community that includes the route prefixes shown aligns with the service area listed. When ER is No, this means that ExpressRoute is not supported for this endpoint set. However, it should not be assumed that no routes are advertised for an endpoint set where ER is No. If you plan to use Azure AD Connect, read the special considerations section to ensure you have the appropriate Azure AD Connect configuration.

  • Addresses: Lists the FQDNs or wildcard domain names and IP Address ranges for the endpoint set. Note that an IP Address range is in CIDR format and may include many individual IP Addresses in the specified network.

  • Ports: Lists the TCP or UDP ports that are combined with the Addresses to form the network endpoint. You may notice some duplication in IP Address ranges where there are different ports listed.

Exchange Online

ID Category ER Addresses Ports
1 Optimize
Required
Yes outlook-dod.office365.us, webmail.apps.mil
40.66.24.0/21, 131.253.80.0/24, 131.253.83.64/26, 131.253.84.0/26, 131.253.84.128/26, 131.253.87.0/25, 131.253.87.128/28, 131.253.87.160/27, 131.253.87.192/28, 131.253.87.224/28, 131.253.88.16/28, 131.253.88.64/28, 131.253.88.80/28, 131.253.88.112/28, 131.253.88.176/28, 131.253.88.208/28, 131.253.88.224/28, 2001:489a:2200:500::/56
TCP: 443, 80
2 Default
Required
Yes domains.live.com
40.118.209.192/32, 168.62.190.41/32
TCP: 443, 80
4 Default
Required
Yes outlook-dod.office365.us, webmail.apps.mil TCP: 143, 25, 587, 993, 995
5 Default
Required
Yes autodiscover.<tenant>.mail.onmicrosoft.com, autodiscover.<tenant>.onmicrosoft.com TCP: 443, 80
6 Allow
Required
Yes *.protection.office365.us, *.scc.protection.apps.mil, scc.protection.apps.mil
23.103.191.0/24, 23.103.199.0/25, 23.103.204.0/22, 52.181.167.91/32, 52.182.95.219/32, 2001:489a:2202::/62, 2001:489a:2202:8::/62, 2001:489a:2202:2000::/63
TCP: 25, 443

SharePoint Online and OneDrive for Business

ID Category ER Addresses Ports
9 Optimize
Required
Yes *.dps.mil, *.sharepoint-mil.us
104.212.48.0/23, 2001:489a:2204::/63
TCP: 443, 80
10 Default
Required
No odc.officeapps.live.com, officeclient.microsoft.com, oneclient.sfx.ms, wns.windows.com TCP: 443, 80
19 Allow
Required
Yes *.od.apps.mil TCP: 443, 80

Skype for Business Online and Microsoft Teams

ID Category ER Addresses Ports
7 Optimize
Required
Yes *.dod.teams.microsoft.us, *.online.dod.skypeforbusiness.us, dod.teams.microsoft.us
52.127.64.0/21, 52.180.249.148/32, 52.180.252.118/32, 52.180.252.187/32, 52.180.253.137/32, 52.180.253.154/32, 52.181.165.243/32, 52.181.166.119/32, 52.181.167.43/32, 52.181.167.64/32, 52.181.200.104/32, 104.212.32.0/22, 104.212.60.0/23, 195.134.240.0/22
TCP: 443
UDP: 3478, 3479, 3480, 3481
8 Default
Required
Yes *.dod.teams.microsoft.us, *.online.dod.skypeforbusiness.us, dod.teams.microsoft.us TCP: 5061, 50000-59999
UDP: 50000-59999

Microsoft 365 Common and Office Online

ID Category ER Addresses Ports
11 Allow
Required
Yes *.dod.online.office365.us
52.127.80.0/23, 52.181.164.39/32, 52.182.95.191/32
TCP: 443
12 Default
Required
Yes *.dod.cdn.office365.us
52.181.164.39/32, 52.182.95.191/32
TCP: 443
13 Allow
Required
Yes *.gov.us.microsoftonline.com, adminwebservice.gov.us.microsoftonline.com, adminwebservice-s1-bn1a.microsoftonline.com, adminwebservice-s1-dm2a.microsoftonline.com, api.login.microsoftonline.com, becws.gov.us.microsoftonline.com, bws-s1-bn1a-relay.microsoftonline.com, bws-s1-bn1r-relay.microsoftonline.com, bws-s1-dm2a-relay.microsoftonline.com, bws-s1-dm2r-relay.microsoftonline.com, clientconfig.microsoftonline-p.net, hip.microsoftonline-p.net, hipservice.microsoftonline.com, login.microsoftonline.com, login.microsoftonline.us, login.microsoftonline-p.com, login.windows.net, loginex.microsoftonline.com, login-us.microsoftonline.com, monitoring.microsoftonline-p.com, nexus.microsoftonline-p.com, provisioningapi.gov.us.microsoftonline.com, provisioningapi-s1-dm2a.microsoftonline.com, provisioningapi-s1-dm2r.microsoftonline.com
13.71.201.64/26, 13.73.64.64/26, 13.73.208.128/25, 23.100.16.168/29, 23.100.32.136/29, 23.100.64.24/29, 23.100.72.32/29, 23.100.80.64/29, 23.100.120.64/29, 23.101.144.136/29, 23.101.165.168/29, 23.101.181.128/29, 40.113.192.16/29, 40.114.120.16/29, 52.126.194.0/23, 52.244.120.128/25, 65.52.1.16/29, 65.52.193.136/29, 104.42.72.16/29, 104.43.208.16/29, 104.43.240.16/29, 104.45.208.104/29, 104.46.112.8/29, 104.209.144.16/29, 104.210.48.8/29, 104.210.208.16/29, 104.211.16.16/29, 104.211.48.16/29, 104.215.96.24/29, 131.253.120.0/24, 157.55.59.128/25, 157.56.53.128/25, 157.56.58.0/25, 157.56.151.0/25
TCP: 443
14 Default
Required
No mscrl.microsoft.com, secure.aadcdn.microsoftonline-p.com TCP: 443
15 Allow
Required
Yes portal.apps.mil, webshell.dodsuite.office365.us, www.ohome.apps.mil
52.180.251.166/32, 52.181.160.19/32, 52.181.160.113/32, 52.182.92.132/32
TCP: 443
16 Allow
Required
Yes *.osi.apps.mil
52.127.72.0/21
TCP: 443
17 Default
Required
No activation.sls.microsoft.com, crl.microsoft.com, go.microsoft.com, insertmedia.bing.office.net, ocsa.officeapps.live.com, ocsredir.officeapps.live.com, ocws.officeapps.live.com, office15client.microsoft.com, officecdn.microsoft.com, officecdn.microsoft.com.edgesuite.net, officepreviewredir.microsoft.com, officeredir.microsoft.com, ols.officeapps.live.com, r.office.microsoft.com TCP: 443, 80
18 Default
Required
No cdn.odc.officeapps.live.com, odc.officeapps.live.com, officeclient.microsoft.com TCP: 443, 80

Notes for this table:

  • The Security and Compliance Center (SCC) provides support for Azure ExpressRoute for Office 365. The same applies for many features exposed through the SCC such as Reporting, Auditing, Advanced eDiscovery, Unified DLP, and Data Governance. Two specific features, PST Import and eDiscovery Export, currently do not support Azure ExpressRoute with only Office 365 route filters due to their dependency on Azure Blob Storage. To consume those features, you need separate connectivity to Azure Blob Storage using any supportable Azure connectivity options, which include Internet connectivity or Azure ExpressRoute with Azure Public route filters. You have to evaluate establishing such connectivity for both of those features. The Office 365 Information Protection team is aware of this limitation and is actively working to bring support for Azure ExpressRoute for Office 365 as limited to Office 365 route filters for both of those features.

  • There are additional optional endpoints for Office 365 ProPlus that are not listed and are not required for users to launch Office 365 ProPlus applications and edit documents. Optional endpoints are hosted in Microsoft datacenters and do not process, transmit, or store customer data. We recommend that user connections to these endpoints be directed to the default Internet egress perimeter.