IP address configuration
The IP addresses from which Power Automate requests are sent depends on the region where the environment that contains the flow is located. We don't currently publish FQDNs available for flow scenarios.
Important
Some calls a cloud flow makes may come from IP addresses that are listed in the Logic apps documentation. Some examples of these calls include HTTP or HTTP + OpenAPI.
You should also consult the Limits and Configuration article for a supplemental listing for known IP addresses that Power Automate uses.
Note
Starting May 2022, Azure Logic Apps begins to enable availability zones in select regions for new Consumption logic apps. To support this capability, new IP addresses have been published for the Azure Logic Apps service and managed connectors. To ensure flows continue to work after this date, update your firewall configuration to include both the IP addresses for Azure Logic Apps and the IP addresses for managed connectors in the supported regions. For more information, see Azure Logic Apps - Set up zone redundancy with availability zones.
Logic Apps
Calls made from a cloud flow go directly through the Azure Logic App service. Some examples of these calls include HTTP or HTTP + Open API. Please reference the Logic apps documentation for which IP addresses are used by that service.
Connectors
Calls made from a connector in a cloud flow (for example, the SQL API or the SharePoint API) come from these IP addresses.
If you must authorize IP addresses for your Azure SQL database, you should use these addresses.
Required services
The following table lists the services to which Power Automate connects. Ensure none of these services are blocked on your network.
| Domains | Protocols | Uses |
|---|---|---|
| management.azure.com | https | Access to the Azure Resource Manager. |
| login.microsoft.com login.windows.net login.microsoftonline.com login.live.com secure.aadcdn.microsoftonline-p.com |
https | Access to authentication and authorization endpoints. |
| graph.microsoft.com | https | Access to Microsoft graph - for getting user information such as a profile photo. |
| *.azure-apim.net | https | Access to the Runtime for Connectors. |
| *.flow.microsoft.com | https | Access to the Power Automate site. |
| *.powerautomate.com | https | Access to Power Automate site. |
| *.powerapps.com | https | Access to the Power Apps site. |
| *.azureedge.net | https | Access to the Power Automate CDN. |
| nps.onyx.azure.net | https | Access to NPS (Net Promoter Score). |
| webshell.suite.office.com | https | Access to Office for header and search. Please see the Office 365 urls and ranges for more details. |
| *.dynamics.com | https | Access to Dataverse tables |
| go.microsoft.com | https | Access to the Power Automate to check for updates |
| download.microsoft.com | https | Access to the Power Automate to check for updates |
| login.partner.microsoftonline.cn | https | Access to the Power Automate for desktop cloud discovery |
Approval email delivery
Please see the approvals email delivery article for details about approvals email routing.
Desktop flows services required for runtime
The following table lists endpoint data requirements for connectivity from a user's machine for desktop flows runs.
| Endpoint type | Domains | Protocols | Uses |
|---|---|---|---|
| Worldwide endpoints | ocsp.digicert.com ocsp.msocsp.com mscrl.microsoft.com crl3.digicert.com crl4.digicert.com |
http | Access to the CRL server for the public cloud. Needed when connecting through the on-premises data gateway. |
| U.S. Government GCC and GCC High endpoints | ocsp.digicert.com crl3.digicert.com crl4.digicert.com |
http | Access to the CRL server for US government cloud. Needed when connecting through the on-premises data gateway. |
| 21Vianet operated endpoints | crl.digicert.cn ocsp.digicert.cn |
http | Access to the CRL servers for 21Vianet operated cloud. Needed when connecting through the on-premises data gateway. |
| All endpoints | msedgedriver.azureedge.net chromedriver.storage.googleapis.com |
https | Access to UI Flows WebDriver downloaders. |
| Worldwide endpoints | *.servicebus.windows.net | https | Listens on Service Bus Relay over TCP. Needed for new machine connectivity. |
| U.S. Goverment endpoints | *.servicebus.usgovcloudapi.net | https | Listens on Service Bus Relay for US government cloud. Needed for new machine connectivity. |
Feedback
Submit and view feedback for