US government endpoints for Microsoft Intune

This page lists the US Government, US Government Community (GCC) High, and Department of Defense (DoD) endpoints needed for proxy settings in your Intune deployments.

To manage devices behind firewalls and proxy servers, you must enable communication for Intune.

• The proxy server must support both HTTP (80) and HTTPS (443) because Intune clients use both protocols
• For some tasks (like downloading software updates), Intune requires unauthenticated proxy server access to manage.microsoft.us

You can modify proxy server settings on individual client computers. You can also use Group Policy settings to change settings for all client computers located behind a specified proxy server.

Managed devices require configurations that let All Users access services through firewalls.

Note

The inspection of SSL traffic is not supported on 'manage.microsoft.us', or 'has.spserv.microsoft.com' endpoint.

For more information about Windows 10 auto-enrollment and device registration for US government customers, see Set up automatic enrollment for Windows.

The following tables list the ports and services that the Intune client accesses:

Endpoint	IP address
*.manage.microsoft.us	52.227.99.114 20.141.108.112 13.72.17.166 52.126.185.115 52.227.211.91 23.97.10.212 52.227.29.124 52.247.174.16 52.227.29.244 52.227.208.144 52.227.1.233 20.141.104.221 52.247.134.218 20.141.78.227 13.77.236.201
enterpriseregistration.microsoftonline.us	13.72.188.239 13.72.55.179

US Government customer designated endpoints:

• Azure portal: https://portal.azure.us/
• Microsoft 365: https://portal.office365.us/
• Intune Company Portal: https://portal.manage.microsoft.us/
• Microsoft Intune admin center: https://intune.microsoft.us/

Network requirements for PowerShell scripts and Win32 apps

If you're using Intune to deploy PowerShell scripts or Win32 apps, you'll also need to grant access to endpoints in which your tenant currently resides.

Azure Scale Unit (ASU)	Storage name	CDN
FXPASU01	sovereignprodimedatapri sovereignprodimedatasec sovereignprodimedatahotfix	sovereignprodimedatapri.azureedge.net sovereignprodimedatasec.azureedge.net sovereignprodimedatahotfix.azureedge.net

Partner service endpoints that Intune depends on:

• Azure AD Sync service: https://syncservice.gov.us.microsoftonline.com/DirectoryService.svc
• Evo STS: https://login.microsoftonline.us
• Directory Proxy: https://directoryproxy.microsoftazure.us/DirectoryProxy.svc
• Azure AD Graph: https://directory.microsoftazure.us and https://graph.microsoftazure.us
• MS Graph: https://graph.microsoft.us
• ADRS: https://enterpriseregistration.microsoftonline.us

Windows Push Notification Services

On Intune-managed devices managed by using Mobile Device Management (MDM), Windows Push Notification Services (WNS) is required for device actions and other immediate activities. For more information, see Enterprise Firewall and Proxy Configurations to Support WNS Traffic

Apple device network information

Used for	Hostname (IP address/subnet)	Protocol	Port
Retrieving and displaying content from Apple servers	itunes.apple.com *.itunes.apple.com *.mzstatic.com *.phobos.apple.com *.phobos.itunes-apple.com.akadns.net	HTTP	80
Communication with APNS servers	#-courier.push.apple.com '#' is a random number from 0 to 50.	TCP	5223 and 443
Various functions including accessing the internet, iTunes store, macOS app store, iCloud, messaging, etc.	phobos.apple.com ocsp.apple.com ax.itunes.apple.com ax.itunes.apple.com.edgesuite.net	HTTP/HTTPS	80 or 443

For more information, see:

• TCP and UDP ports used by Apple software products
• About macOS, iOS/iPadOS, and iTunes server host connections and iTunes background processes
• If your macOS and iOS/iPadOS clients aren't getting Apple push notifications

Next steps

Network endpoints for Microsoft Intune