Office 365 endpoints reference

If your organization uses Office 365 and restricts computers on your network from connecting to the internet, below you'll find the endpoints (FQDNs, Ports, URLs, IPv4, and IPv6 address ranges) that you should include in your outbound allow lists to ensure your computers can successfully use Office 365.

Worldwide endpoints: (including Office 365 U.S. Government Community) Office 365

National cloud endpoints: Office 365 operated by 21 Vianet | Office 365 Germany | Office 365 U.S. Government

Download: the endpoints in XML format

Important: Office 365 requires internet connectivity from every computer connecting to the service. Please refer to our guide to help you plan your network configuration if you're unable to provide unfiltered access to the internet.

Office 365 shared services

To use any Office 365 services for any SKU, you must be able to connect to these shared services.

Unless otherwise noted, the source of the network request is the client or server and the expected credentials are the logged on user, this means you should avoid proxy authentication where possible to improve performance.

Please allow port TCP 80 for redirects and TCP 443 for network traffic unless otherwise noted.

IP addresses are listed in the API unless otherwise noted

Required FQDNs accessible over the internet and ExpressRoute

The destination of the following endpoints is within a Microsoft datacenter.

Row

These endpoints are required for all Office 365 services

Bypass your proxy for these FQDNs (example)

1

Office 365 Portal (wildcard)

*.office365.com1

2

Office 365 Portal

home.office.com

portal.office.com

agent.office.net

www.office.com

outlook.office365.com

signup.microsoft.com

suite.office.net

account.office.net

3

Office 365 Authentication

api.login.microsoftonline.com

clientconfig.microsoftonline-p.net

device.login.microsoftonline.com

hip.microsoftonline-p.net

hipservice.microsoftonline.com

login.microsoft.com

login.microsoftonline.com

logincert.microsoftonline.com

loginex.microsoftonline.com

login-us.microsoftonline.com

login.microsoftonline-p.com

nexus.microsoftonline-p.com

stamp2.login.microsoftonline.com

login.windows.net

*.microsoftonline.com

provisioningapi.microsoftonline.com

adminwebservice.microsoftonline.com

4

Office Online2

*broadcast.officeapps.live.com

*excel.officeapps.live.com

*onenote.officeapps.live.com

*powerpoint.officeapps.live.com

*view.officeapps.live.com

*visio.officeapps.live.com

*word-edit.officeapps.live.com

*word-view.officeapps.live.com

5

Office 365Cloud App Security

*.portal.cloudappsecurity.com

6

Office 365 Delve

delve.office.com

apc.delve.office.com

aus.delve.office.com

can.delve.office.com

eur.delve.office.com

gbr.delve.office.com

ind.delve.office.com

jpn.delve.office.com

kor.delve.office.com

lam.delve.office.com

nam.delve.office.com

1 There are specific sub-FQDNs within this domain that are available on ExpressRoute, learn more by reading the section, Deciding which applications and features route over ExpressRoute.

2 The wildcards under the officeapps.live.com namespace, such as *visio.officeapps.live.com represents a 20+ list of regional nodes that are subject to change as the service expands.

Note: ExpressRoute for Office 365 currently does not support IPv6. Customers not using ExpressRoute will want to ensure both IP lists below are reachable over the internet.

IPv4 endpoints

IPv6 endpoints

13.65.240.22/32
13.66.58.59/32
13.70.156.206/32
13.71.145.114/32
13.71.145.122/32
13.71.151.88/32
13.75.149.223/32
13.76.138.63/32
13.78.120.69/32
13.78.120.70/32
13.78.120.99/32
13.78.120.159/32
13.78.122.54/32
13.80.22.71/32
13.80.125.22/32
13.84.178.101/32
13.84.216.209/32
13.84.218.185/32
13.84.219.100/32
13.84.222.249/32
13.87.36.128/32
13.88.17.54/32
13.91.91.243/32
13.92.181.66/32
13.92.236.241/32
13.93.164.45/32
13.95.29.177/32
13.95.30.46/32
13.107.6.156/31
13.107.7.190/31
13.107.9.156/31
23.96.32.105/32
23.96.241.70/32
23.96.251.50/32
23.96.253.65/32
23.97.66.55/32
23.97.78.94/32
23.99.121.16/32
23.99.125.4/32
23.102.232.134/32
40.69.185.117/32
40.71.88.196/32
40.76.54.117/32
40.83.120.174/32
40.83.127.89/32
40.83.185.155/32
40.83.185.230/32
40.84.2.83/32
40.84.4.93/32
40.84.4.119/32
40.84.145.72/32
40.112.144.173/32
40.112.145.113/32
40.112.187.89/32
40.113.91.234/32
40.117.96.104/32
40.117.100.187/32
40.117.229.133/32
40.117.229.194/32
40.124.8.53/32
51.140.45.81/32
51.140.226.217/32
51.142.213.184/32
52.163.58.153/32
52.163.93.38/32
52.164.121.65/32
52.164.124.124/32
52.164.127.6/32
52.168.128.89/32
52.168.177.42/32
52.172.49.206/32
52.174.56.180/32
52.175.154.183/32
52.175.158.8/32
52.178.27.129/32
52.178.144.25/32
52.178.146.3/32
52.178.146.67/32
52.178.147.210/32
52.178.150.186/32
52.183.75.62/32
52.184.165.82/32
52.185.154.106/32
52.187.42.197/32
52.187.78.144/32
52.225.223.43/32
52.228.36.141/32
52.230.24.83/32
52.231.24.115/32
52.231.204.153/32
52.232.112.133/32
52.232.118.68/32
52.232.129.232/32
52.233.242.192/32
65.52.144.46/32
65.52.176.186/32
65.52.192.203/32
65.52.220.46/32
65.52.240.200/32
65.55.239.168/32
70.37.96.155/32
94.245.88.28/32
94.245.117.53/32
104.40.178.127/32
104.40.179.160/32
104.40.211.46/32
104.42.225.143/32
104.42.230.91/32
104.43.21.58/32
104.45.225.7/32
104.47.156.62/32
104.211.160.244/32
104.214.107.57/32
104.214.144.62/32
104.214.144.252/32
104.214.145.126/32
104.214.145.173/32
104.214.146.199/32
104.215.28.42/32
111.221.96.149/32
111.221.104.43/32
137.116.156.3/32
137.116.248.150/32
137.117.17.124/32
138.91.61.107/32
157.55.139.177/32
157.55.145.0/25
157.55.155.0/25
157.55.212.37/32
157.55.227.192/26
168.61.149.234/32
168.62.104.83/32
168.62.106.224/32
168.63.92.133/32
191.235.95.142/32
191.238.160.173/32
207.46.73.250/32
207.46.140.244/32
207.46.141.38/32
207.46.156.124/32
207.46.216.54/32
213.199.128.119/32
13.67.50.224/29
13.71.201.64/26
13.106.4.128/25
13.75.48.16/29
13.75.80.16/29
13.106.56.0/25
20.190.128.0/18
23.100.16.168/29
23.100.32.136/29
23.100.64.24/29
23.100.72.32/29
23.100.80.64/29
23.100.88.32/29
23.100.101.112/28
23.100.104.16/28
23.100.112.64/29
23.100.120.64/29
23.101.5.104/29
23.101.144.136/29
23.101.165.168/29
23.101.181.128/29
23.101.210.24/29
23.101.222.240/28
23.101.224.16/29
23.101.226.16/28
40.112.64.16/28
40.113.192.16/29
40.114.120.16/29
40.115.152.16/28
40.127.67.24/29
40.126.0.0/18
52.172.144.16/28
65.52.1.16/29
65.52.193.136/29
65.54.170.128/25
70.37.154.128/25
104.40.240.48/28
104.41.13.120/29
104.41.216.16/28
104.42.72.16/29
104.43.208.16/29
104.43.240.16/29
104.44.218.128/25
104.44.254.128/25
104.44.255.0/25
104.45.0.16/28
104.45.208.104/29
104.46.112.8/29
104.46.224.64/28
104.209.144.16/29
104.210.48.8/29
104.210.83.160/29
104.210.208.16/29
104.211.16.16/29
104.211.48.16/29
104.211.88.16/28
104.211.216.32/27
104.215.96.24/29
104.215.144.64/29
104.215.184.16/29
132.245.165.0/25
134.170.67.0/25
134.170.116.0/25
134.170.165.0/25
134.170.172.128/25
157.55.45.128/25
157.55.59.128/25
157.55.130.0/25
157.55.145.0/25
157.55.155.0/25
157.55.227.192/26
157.56.53.128/25
157.56.55.0/25
157.56.58.0/25
157.56.151.0/25
191.232.2.128/25
191.237.248.32/29
191.237.252.192/28

13.69.187.20/32
13.70.184.242/32
13.71.155.176/32
13.75.153.216/32
13.76.140.48/32
13.78.114.39/32
13.85.84.102/32
13.88.248.161/32
13.88.254.212/32
13.107.6.171/32
13.107.6.172/32
23.98.219.76/32
40.68.166.51/32
40.71.251.78/32
40.74.130.243/32
40.74.138.42/32
40.86.230.88/32
40.87.61.217/32
40.114.192.209/32
40.117.226.146/32
40.126.236.216/32
40.127.79.139/32
51.140.46.128/32
51.140.46.150/32
51.141.1.194/32
51.141.8.160/32
52.108.0.0/14
52.164.242.47/32
52.169.109.48/32
52.172.12.123/32
52.172.13.171/32
52.172.152.100/32
52.172.153.104/32
52.174.190.59/32
52.175.25.142/32
52.232.128.169/32
104.40.225.204/32
104.41.62.54/32
104.214.38.136/32
104.215.194.17/32
137.116.172.39/32
137.135.65.72/32
191.235.84.172/32
191.235.87.181/32
191.237.40.220/32
2603:1020:200::682f:a1d8/128
2603:1020:201:a::2b1/128
2603:1020:201::142/128
2603:1020:201::265/128
2603:1020:201::3c4/128
2603:1020:201::5f2/128
2603:1020:300::33/128
2603:1020:400::26/128
2603:1030:603::3c9/128
2603:1030:603::4ed/128
2603:1030:603::5e0/128
2603:1030:603::6a/128
2603:1030:603::72/128
2603:1030:a02::118/128
2603:1030:a02::367/128
2603:1030:a02::5f9/128
2603:1040:200::111/128
2603:1040:200::325/128
2603:1040:200::419/128
2603:1040:200::4a9/128
2603:1040:400::2f4/128
2603:1040:400::5d/128
2603:1040:400::5e/128
2603:1040:400::715/128
2603:1040:400::7b/128
2603:1040:401::57/128
2603:1040:401::c/128
2603:1040:601::1e7/128
2603:1040:601::281/128
2603:1040:601::2f/128
2603:1040:601::36c/128
2603:1040:601::4e/128
2801:80:1d0:1c00::/64
2a01:111:2003::/48
2a01:111:200a:a::/64
2a01:111:202c::/48
2a01:111:202e::/48
2a01:111:202e::190/128
2a01:111:202e::191/128
2a01:111:202e::156/128
2a01:111:202d::/48
2a01:111:2035:8::/64
2a01:111:f100:1002::4134:c0cb/128
2a01:111:f100:1002::4134:c440/128
2a01:111:f100:1002::4134:d93c/128
2a01:111:f100:1002::4134:d9ee/128
2a01:111:f100:1004::4134:f0c8/128
2a01:111:f100:2002::8975:2c33/128
2a01:111:f100:2002::8975:2d11/128
2a01:111:f100:2002::8975:2d43/128
2a01:111:f100:2002::8975:2d92/128
2a01:111:f100:2002::8975:2d98/128
2a01:111:f100:2002::8975:2db9/128
2a01:111:f100:2002::8975:2cbc/128
2a01:111:f100:3002::8987:320c/128
2a01:111:f100:3002::8987:342a/128
2a01:111:f100:3002::8987:3552/128
2a01:111:f100:3002::8987:358e/128
2a01:111:f100:4001::4625:609b/128
2a01:111:f100:4001::4625:61ea/128
2a01:111:f100:4001::4625:a065/128
2a01:111:f100:4001::4625:a1e3/128
2a01:111:f100:4001::4625:a1e8/128
2a01:111:f100:4001::4625:a248/128
2a01:111:f100:4001::4625:a3b3/128
2a01:111:f100:4001::4625:a4b4/128
2a01:111:f100:6000::4134:b0ba/128
2a01:111:f100:6000::4134:b84b/128
2a01:111:f100:7000::6fdd:682b/128
2a01:111:f100:7000::6fdd:699d/128
2a01:111:f100:7000::6fdd:6a4e/128
2a01:111:f100:7000::6fdd:6b20/128
2a01:111:f100:7000::6fdd:6b76/128
2a01:111:f100:7000::6fdd:6bc2/128
2a01:111:f100:7000::6fdd:6cac/128
2a01:111:f100:7000::6fdd:6fc4/128
2a01:111:f100:8000::4134:902e/128
2a01:111:f100:8000::4134:941b/128
2a01:111:f100:8001::d5c7:8077/128
2a01:111:f100:a000::5ef5:581c/128
2a01:111:f100:a000::5ef5:6c55/128
2a01:111:f100:7000::6fdd:6095/128
2a01:111:f100:a001::a83f:5c85/128
2a01:111:f100:a004::bfeb:8c89/128
2a01:111:f100:a004::bfeb:8deb/128
2a01:111:f102:8001::1761:4237/128
2a01:111:f102:8001::1761:4daf/128
2a01:111:f102:8001::1761:4f8a/128
2a01:111:f100:a004::bfeb:8872/128
2a01:111:f100:a004::bfeb:8a37/128
2a01:111:f100:a004::bfeb:8aa2/128
2a01:111:f100:a004::bfeb:8cb8/128
2a01:111:f406:1::/64
2a01:111:f406:1000::/64
2a01:111:f406:1004::/64
2a01:111:f406:1801::/64
2a01:111:f406:1805::/64
2a01:111:f406:3404::/64
2A01:111:f406:8000::/64
2a01:111:f406:8801::/64
2a01:111:f406:a003::/64
2a01:111:f406:c00::/64
2603:1020:201::4a0/128
2603:1020:201::4a1/128
2603:1020:201::4a2/128
2603:1020:201::4a3/128
2603:1020:201::4a4/128
2603:1020:201::4a5/128
2603:1020:201::4a6/128
2603:1020:201::4a7/128
2603:1020:201::4aa/128
2603:1020:201::581/128
2603:1020:201::583/128
2603:1020:201::584/128
2603:1020:201::586/128
2603:1020:201::588/128
2603:1020:201::589/128
2603:1020:201::58a/128
2603:1020:201::58b/128
2603:1020:201::58c/128
2603:1020:201:2::/64
2603:1020:201:3::/64
2603:1030:7::2c/128
2603:1030:7::2d/128
2603:1030:7::2f/128
2603:1030:7::30/128
2603:1030:7::34/128
2603:1030:7::3f/128
2603:1030:7::40/128
2603:1030:7::41/128
2a01:111:2005:6::/64
2a01:111:f100:1002::4134:d89f/128
2a01:111:f100:1002::4134:d944/128
2a01:111:f100:1002::4134:d95f/128
2a01:111:f100:1002::4134:da55/128
2a01:111:f100:1002::4134:da5c/128
2a01:111:f100:1002::4134:da81/128
2a01:111:f100:1002::4134:dab5/128
2a01:111:f100:1002::4134:daee/128
2a01:111:f100:1002::4134:db2a/128
2a01:111:f100:1002::4134:db60/128
2a01:111:f100:1002::4134:db89/128
2a01:111:f100:1002::4134:dbe7/128
2a01:111:f100:1002::4134:dc2d/128
2a01:111:f100:1002::4134:dc2e/128
2a01:111:f100:1002::4134:dc43/128
2a01:111:f100:1002::4134:dc6e/128
2a01:111:f100:1002::4134:dd7a/128
2a01:111:f100:1002::4134:ddcb/128
2a01:111:f100:2002::8975:2c3b/128
2a01:111:f100:2002::8975:2c3f/128
2a01:111:f100:2002::8975:2c6d/128
2a01:111:f100:2002::8975:2cdd/128
2a01:111:f100:2002::8975:2cea/128
2a01:111:f100:2002::8975:2ced/128
2a01:111:f100:2002::8975:2d08/128
2a01:111:f100:2002::8975:2d19/128
2a01:111:f100:2002::8975:2d25/128
2a01:111:f100:2002::8975:2d4d/128
2a01:111:f100:2002::8975:2d6a/128
2a01:111:f100:2002::8975:2d97/128
2a01:111:f100:2002::8975:2daa/128
2a01:111:f100:2002::8975:2dc7/128
2a01:111:f100:3002::8987:30a0/128
2a01:111:f100:3002::8987:3103/128
2a01:111:f100:3002::8987:3278/128
2a01:111:f100:3002::8987:328f/128
2a01:111:f100:3002::8987:3299/128
2a01:111:f100:3002::8987:3344/128
2a01:111:f100:3002::8987:3396/128
2a01:111:f100:3002::8987:3398/128
2a01:111:f100:3002::8987:33b3/128
2a01:111:f100:3002::8987:33ec/128
2a01:111:f100:3002::8987:34eb/128
2a01:111:f100:3002::8987:34f8/128
2a01:111:f100:3002::8987:353b/128
2a01:111:f100:3002::8987:35b5/128
2a01:111:f100:4001::4625:a3ee/128
2a01:111:f100:4001::4625:a4b6/128
2a01:111:f100:4001::4625:a4ba/128
2a01:111:f100:4001::4625:a4c7/128
2a01:111:f100:4001::4625:a4cf/128
2a01:111:f100:4001::4625:a4ee/128
2a01:111:f100:4001::4625:a56f/128
2a01:111:f100:4001::4625:a589/128
2a01:111:f100:7000::6fdd:6a44/128
2a01:111:f100:7000::6fdd:6b96/128
2a01:111:f100:7000::6fdd:6bb6/128
2a01:111:f100:7000::6fdd:6c82/128
2a01:111:f100:7000::6fdd:6d1c/128
2a01:111:f100:7000::6fdd:6d23/128
2a01:111:f100:7000::6fdd:6d50/128
2a01:111:f100:7000::6fdd:6d88/128
2a01:111:f100:a004::bfeb:8a92/128
2a01:111:f100:a004::bfeb:8ab0/128
2a01:111:f100:a004::bfeb:8b12/128
2a01:111:f100:a004::bfeb:8b15/128
2a01:111:f100:a004::bfeb:8b3c/128
2a01:111:f100:a004::bfeb:8b47/128
2a01:111:f100:a004::bfeb:8b6c/128
2a01:111:f100:a004::bfeb:8beb/128
2a01:111:f100:a004::bfeb:8c55/128
2a01:111:f100:a004::bfeb:8c6d/128
2a01:111:f100:a004::bfeb:8c6f/128
2a01:111:f100:a004::bfeb:8c88/128
2a01:111:f100:a004::bfeb:8cc0/128
2a01:111:f100:a004::bfeb:8cdc/128
2a01:111:f100:a004::bfeb:8d83/128
2a01:111:f100:a004::bfeb:8d96/128
2a01:111:f100:a004::bfeb:8daa/128
2a01:111:f102:8001::1761:4929/128
2a01:111:f102:8001::1761:4948/128
2a01:111:f102:8001::1761:4b83/128
2a01:111:f102:8001::1761:4f0d/128
2a01:111:f102:8001::1761:4f32/128
2a01:111:f102:8001::1761:4f64/128
2a01:111:f102:8001::1761:4f8d/128
2a01:111:f102:8001::1761:4fc0/128
2a01:111:f400::/48
2001:df0:d9:200::/64
2603:1047:100::/64
2a01:111:2035:8::/64
2a01:111:200a:a::/64
2a01:111:f406:1::/64
2a01:111:f406:2::/64
2a01:111:f406:1004::/64
2a01:111:f406:1805::/64
2a01:111:f406:3404::/64
2A01:111:F406:8000::/64
2a01:111:f406:8801::/64
2a01:111:f406:a003::/64
2A01:111:F406:C00::/64
2603:1020:201::37/128
2603:1020:201:9::c6/128
2603:1030:1000::1d/128
2603:1030:f00::17/128
2603:1040:200::5dc/128
2603:1040:401::762/128
2603:1040:601::60f/128
2603:1040:a01::1e/128
2603:1040:c01::28/128
2603:1050:1::cd/128
2620:1ec:a92::171/128
2a01:111:f100:2002::8975:2d79/128
2a01:111:f100:2002::8975:2da8/128
2a01:111:f100:4001::4625:a1c3/128
2a01:111:f100:4001::4625:a419/128
2a01:111:f100:7000::6fdd:6cd5/128
2a01:111:f100:a004::bfeb:8ba7/128

Office 365 Certificate Revocation List (Root URLs)

*.entrust.net
*.geotrust.com
*.omniroot.com
*.public-trust.com
*.symcb.com
*.symcd.com
*.verisign.com
*.verisign.net
aia.entrust.net
apps.identrust.com
cacert.a.omniroot.com
cacert.omniroot.com
cacerts.digicert.com
cdp1.public-trust.com
cert.int-x3.letsencrypt.org
crl.entrust.net
crl.globalsign.com
crl.globalsign.net
crl.identrust.com
crl.microsoft.com
crl3.digicert.com
crl4.digicert.com
EVIntl-aia.verisign.com
EVIntl-crl.verisign.com
EVIntl-ocsp.verisign.com
evsecure-aia.verisign.com
EVSecure-crl.verisign.com
EVSecure-ocsp.verisign.com
isrg.trustid.ocsp.identrust.com
mscrl.microsoft.com
ocsp.digicert.com
ocsp.entrust.net
ocsp.globalsign.com
ocsp.int-x3.letsencrypt.org
ocsp.msocsp.com
ocsp.omniroot.com
ocsp2.globalsign.com
ocspx.digicert.com
s1.symcb.com
s2.symcb.com
sa.symcb.com
sd.symcb.com
secure.globalsign.com
sr.symcb.com
sr.symcd.com
su.symcb.com
su.symcd.com
vassg142.crl.omniroot.com
vassg142.ocsp.omniroot.com
www.digicert.com
www.microsoft.com

The following may point to CDNs

If you’re using Active Directory Federation Services (AD FS) with your deployment, you can also use AD FS client access policies with Windows Server 2012 R2 or client access policies with AD FS 2.0 to further restrict and control access to Office 365.

Row

These endpoints are only required if you're using Office 365 with one of these Azure services

Bypass your proxy for these FQDNs (example)

1

Azure AD Connect (w/SSO option) – WinRM & remote powershell

Customer STS environment (AD FS Server and AD FS Proxy)

2

STS such as AD FS Proxy server(s) (for federated customers only)

Client or Server / N/A

Customer STS (such as AD FS Proxy) | Ports TCP 443 or TCP 49443 w/ClientTLS

3

AD FS Proxy server(s) (for federated customers only)

Customer AD FS Proxy (WAP) | N/A

Customer AD FS Server (FS)

4

Azure Rights Management (RMS)

*.aadrm.com

*.azurerms.com

ecn.dev.virtualearth.net

*.cloudapp.net1

5

Rights Management connector

On-premises server

*.aadrm.com

6

Azure AD Connect Health

Azure AD Connect Health Server | Service Account

management.azure.com

*.blob.core.windows.net

*.queue.core.windows.net

*.servicebus.windows.net - Port: 5671 (If 5671 is blocked, agent falls back to 443, but using 5671 is recommended.)

*.adhybridhealth.azure.com

*.table.core.windows.net

policykeyservice.dc.ad.msft.net

7

Multi-factor authentication (MFA)

account.activedirectory.windowsazure.com

The following may point to CDNs

Row

The destooptional and required endpoints are for the following purposes

Send these through your proxy

4

Required: Content Delivery Network for Office Web Apps

*.cdn.office.net

Required: Authentication

accesscontrol.windows.net

secure.aadcdn.microsoftonline-p.com

6

Required: Some Office 365 features require endpoints within these domains.

Note: Many specific FQDNs within these wildcards have been published recently as we work to either remove or better explain our guidance relating to wildcards.

*.onmicrosoft.com

*.office.com

*.office.net

*.msedge.net

*.microsoft.com

*.msocdn.com

7

Optional: Shared infrastructure and support

portal.microsoftonline.com

clientlog.portal.office.com

nexus.officeapps.live.com

nexusrules.officeapps.live.com

support.office.com

products.office.com

templates.office.com

contentstorage.osi.office.net

technet.microsoft.com

amp.azure.net

assets.onestore.ms

auth.gfx.ms

browser.pipe.aria.microsoft.com

c.microsoft.com

c1.microsoft.com

connect.facebook.net

dgps.support.microsoft.com

mem.gfx.ms

platform.linkedin.com

support.content.office.net

video.osi.office.net

videocontent.osi.office.net

videoplayercdn.osi.office.net

10

Optional: Office 365 Management Pack for Operations Manager

Customer Operations Manager environment | Machine1 Account

office365servicehealthcommunications.cloudapp.net

11

Optional: Import Service for PST and file ingestion

Refer to the Import Service for additional requirements.

13

Optional: Security and Compliance export

protection.office.com

*.blob.core.windows.net

office365zoom.cloudapp.net

equivioprod*.cloudapp.net

zoom-cs-prod*.cloudapp.net

equivio.office.com

compliance.outlook.com

14

Optional: Office 365 Management APIs

manage.office.com

15

Optional: Graph API (Graph.windows.net and Graph.Microsoft.com

graph.microsoft.com

graph.windows.net

16

Optional: Discovery Service API

api.office.com

17

Optional: 3rd party office integration.

firstpartyapps.oaspapps.com

prod.firstpartyapps.oaspapps.com.akadns.net

telemetryservice.firstpartyapps.oaspapps.com

wus-firstpartyapps.oaspapps.com

18

Required: Microsoft Groups.

groupsapi-prod.outlookgroups.ms

groupsapi2-prod.outlookgroups.ms

groupsapi3-prod.outlookgroups.ms

groupsapi4-prod.outlookgroups.ms

rink.hockeyapp.net

sdk.hockeyapp.net

api.localytics.com

analytics.localytics.com

outlook.uservoice.com

20

Required: Required for Delve

res.delve.office.com

21

Required: Required for SecureScore

securescore.office.com

3

Optional: Legacy/temporary FQDNs

*.msecnd.net

*.microsoft.com

*.microsoftonline-p.com

*.microsoftonline-p.net

*.windows.net

*.microsoftonline.com

1Keep in mind that Machine accounts won’t work with proxies that require outbound authentication.

3 See additional information about supported services over Azure ExpressRoute and the Public peering path.

4 There are specific sub-FQDNs within this domain that are available on ExpressRoute, learn more by reading the section, Deciding which applications and features route over ExpressRoute.

3 This FQDN needs to be in your client's IE Trusted Sites Zone to function.

5 There are specific sub-FQDNs within this domain that are available on ExpressRoute, learn more by reading the section, Deciding which applications and features route over ExpressRoute.

Note: ExpressRoute for Office 365 currently does not support IPv6. Customers not using ExpressRoute will want to ensure both IP lists below are reachable over the internet.

IPv4 endpoints routable through the Internet only

13.64.196.27/32
13.64.198.19/32
13.64.198.97/32
13.64.199.41/32
13.67.59.89/32
13.76.218.117/32
13.76.219.191/32
13.76.219.210/32
13.91.61.249/32
13.91.98.185/32
13.93.216.68/32
13.93.233.42/32
23.97.61.137/32
23.97.150.21/32
23.97.152.190/32
23.97.209.97/32
23.99.109.44/32
23.99.109.64/32
23.99.116.116/32
23.99.121.207/32
23.100.86.91/32
23.101.14.229/32
23.101.30.126/32
23.102.4.253/32
40.69.150.142/32
40.76.1.176/32
40.76.8.142/32
40.76.12.4/32
40.76.12.162/32
40.85.91.8/32
40.113.8.255/32
40.113.10.78/32
40.113.11.93/32
40.113.14.159/32
40.117.144.240/32
40.117.151.29/32
40.118.211.172/32
40.121.144.182/32
40.122.168.103/32
65.52.148.27/32
65.52.160.218/32
65.52.184.75/32
65.52.196.64/32
70.37.97.234/32
94.245.108.85/32
104.41.207.73/32
104.42.231.28/32
104.43.140.223/32
104.45.11.195/32
104.46.38.64/32
104.46.50.125/32
104.209.35.177/32
104.211.54.99/32
104.211.54.134/32
104.215.146.200/32
104.215.198.144/32
111.221.111.196/32
137.116.66.126/32
137.116.81.187/32
157.55.177.39/32
157.55.184.223/32
157.55.80.94/32
168.61.146.25/32
168.61.149.17/32
168.61.170.80/32
168.61.172.71/32
168.62.204.209/32
168.62.29.225/32
168.62.43.8/32
168.63.18.79/32
168.63.29.74/32
168.63.100.61/32
168.63.138.56/32
168.63.172.54/32
168.63.213.238/32
191.237.218.239/32
207.46.134.255/32
207.46.153.155/32

Email services

To use Exchange Online, including mail retrieval, OWA, Unified Messaging, and so on, you must be able to connect to the endpoints marked required below. If your organization uses Exchange Hybrid, Delve, or is migrating email to Office 365, you'll find the associated endpoints below. All IP addresses entered directly in the Destination IP column are also listed in the IP tables and XML file for your convenience.

Row

These optional and required endpoints are for the following purposes

Destination

CDN

ExpressRoute for Office 365

Destination IP

2

Required: EOP

*.protection.outlook.com

No

Yes

See Exchange Online Protection IP Addresses

TCP 53 & 443

3

Required: Send SMTP email

Existing email environment | N/A

<customer domain-key>.mail.protection.outlook.com

No

Yes

See Exchange Online Protection IP Addresses

TCP 25

4

Required: Receive SMTP email

See Exchange Online Protection IP Addresses | N/A

Existing email environment

No

Yes

See Exchange Online Protection IP Addresses

TCP 25

4

Required: Client SMTP Relay

smtp.office365.com

No

Yes

Exchange Online IP ranges.

TCP 587

5

Required: Exchange Online (including OWA, Outlook, and so on).

outlook.office365.com

*.outlook.office.com

autodiscover-*.outlook.com

No

Yes

Exchange Online IP ranges.

6

Required: Exchange Online (including OWA, Outlook, Autodiscover, and so on).

*.outlook.com

No

No4

Exchange Online IP ranges.

7

Required: Exchange Online (including OWA, Outlook, and so on).

xsi.outlook.com

r1.res.office365.com

r3.res.office365.com

r4.res.office365.com

Akamai

No

N/A

8

Optional: Exchange Online Unified Messaging/SBC integration.

On-premises Session Border Controller

*.um.outlook.com

No

No

65.55.94.0/25    
207.46.198.0/25  
213.199.177.0/26   
157.55.9.128/25  
111.221.66.0/25  
207.46.58.128/25

Any-TCP/UDP

(Bidirectional for inbound, calls , MWI)

9

Optional: Exchange Hybrid Only

Existing Exchange Client Access Servers and Mailbox Servers | Machine account1

outlook.office365.com

*.outlook.office.com

No

Yes

Exchange Online IP ranges.

10

Optional: Exchange Hybrid Co-existence

Exchange Online IP ranges | N/A

Customer on-premise Exchange

No

Yes

Customer IP

11

Optional: Exchange Hybrid Proxy Authentication

Exchange Online IP ranges | N/A

Customer on-premise STS

No

Yes

Customer IP

TCP 443 (+ TCP 49443 for cert based authentication)

12

Optional: Used to configure Exchange Hybrid, using the Exchange Hybrid Configuration Wizard.

Notes: 

  • These endpoints are only required to configure Exchange hybrid. Rows 8-10 describe the ongoing traffic.

  • Existing Exchange service | N/A

*.store.core.windows.net

mshrcstorageprod.blob.core.windows.net

No

Varies3

N/A

domains.live.com2

No

Yes

40.118.209.192/32
168.62.190.41/32

13

Optional: Exchange Online IMAP4 migration

IMAP4 Service | N/A

outlook.office365.com

*.outlook.office.com

No

Yes

Exchange Online IP ranges.

TCP 143/993

14

Optional: Exchange Online POP3 migration

POP3 Service | N/A

outlook.office365.com

*.outlook.office.com

No

Yes

Exchange Online IP ranges.

TCP 995

15

Optional: All other Exchange Online migration tools

Existing Exchange service (EWS or MRS) | N/A

outlook.office365.com

*.outlook.office.com

No

Yes

Exchange Online IP ranges.

1Keep in mind that Machine accounts won’t work with proxies that require outbound authentication.

2 Only required for Exchange 2010 SP3 Hybrid Configuration Wizard.

3 See additional information about supported services over Azure ExpressRoute and the Public peering path.

4 There are specific sub-FQDNs within this domain that are available on ExpressRoute, learn more by reading the section, Deciding which applications and features route over ExpressRoute.

Note: The wildcard in the second row of the EOP table represents a long list of nodes that are exclusively used for Exchange Online Protection. No other commercial or consumer services use this namespace.

Note: ExpressRoute for Office 365 currently does not support IPv6

Exchange Online IPv4 endpoints routable through the Internet and ExpressRoute

Exchange Online IPv6 endpoints routable through the Internet only

13.107.6.152/31
13.107.9.152/31
13.107.18.10/31
13.107.19.10/31
13.107.128.0/22
23.103.160.0/20
23.103.224.0/19
40.96.0.0/13
40.104.0.0/15
52.96.0.0/14
70.37.151.128/25
111.221.112.0/21
131.253.33.215/32
132.245.0.0/16
134.170.68.0/23
150.171.32.0/22
157.56.96.16/28
157.56.96.224/28
157.56.232.0/21
157.56.240.0/20
191.232.96.0/19
191.234.6.152/32
191.234.140.0/22
191.234.224.0/22
204.79.197.215/32
206.191.224.0/19
2603:1006::/40
2603:1016::/40
2603:1020:0800::/40
2603:1026::/40
2603:1026:0200::/39
2603:1026:0400::/39
2603:1026:0600::/40
2603:1026:0800::/40
2603:1036::/39
2603:1036:0200::/40
2603:1036:0400::/40
2603:1036:0600::/40
2603:1036:0800::/38
2603:1036:0c00::/40
2603:1046::/37
2603:1046:0900::/40
2603:1056::/40
2603:1056:0400::/40
2603:1056:0600::/40
2603:1096::/38
2603:1096:0400::/40
2603:1096:0600::/40
2603:1096:0c00::/40
2603:1096:a00::/39
2603:10a6:0200::/40
2603:10a6:0400::/40
2603:10a6:0600::/40
2603:10a6:0800::/40
2603:10d6:0200::/40
2620:1ec:4::152/128
2620:1ec:4::153/128
2620:1ec:8f0::/46
2620:1ec:900::/46
2620:1ec:a92::152/128
2620:1ec:a92::153/128
2620:1ec:c::10/128
2620:1ec:c::11/128
2620:1ec:d::10/128
2620:1ec:d::11/128
2a01:111:f400::/48

Skype for Business Online and Microsoft Teams

To use Skype for Business online, ensure both the FQDN and IP Address endpoints listed in the Skype for Business Online tables below are reachable. These tables are updated regularly as Microsoft works to build out its network to increase reliability and performance. Please be sure to subscribe to changes in this documentation to insure changes are incorporated in your networking configuration.

The IP Address endpoints listed in the Skype for Business online IP Addresses includes IP’s required for both Skype for Business online and Teams. If your company also wants to use Microsoft Teams, there is no extra work required as long as you whitelist all the IPs in this section. The FQDN endpoints listed in the Skype for Business online FQDNs only covers those FQDNs that are required for Skype for Business online. If your company wants to use Microsoft Teams, you need to add the FQDNs for Microsoft Teams listed in the Microsoft Teams section

To use Skype for Business Online, you must first enable endpoints for authentication as well as the Office 365 portal and shared service. You must also ensure the endpoints in the Skype for Business Online FQDN and IP Address tables are reachable. To see the IP addresses, expand the IP address section below the table describing the traffic flow. Keep in mind that wildcards represent all possible sub-domains under the root.

Row

Purpose

Source | Credentials

Destination

ExpressRoute for Office 365 BGP Communities

CIDR Address

Port

1

Required: suite-wide services.

see Office 365 required entries for shared services, authentication, and Office Online

2

Required: Skype for Business. Including SIP signaling, Persistent Shared Object Model (PSOM) connections web conferencing, HTTPS downloads, and Call Quality Dashboard

client computer | logged on user

*.lync.com
*.cqd.lync.com
*.infra.lync.com
*.online.lync.com
*.resources.lync.com
*.config.skype.com
*.skypeforbusiness.com
*.pipe.aria.microsoft.com
config.edge.skype.com
pipe.skype.com
s-0001.s-msedge.net
s-0004.s-msedge.net

yes

Skype for Business IP ranges.

TCP 443

3

Required: Audio, Video, & Desktop sharing

client computer | logged on user

*.lync.com

yes

Skype for Business IP ranges.

TCP 443, UDP 3478, 3479, 3480, & 3481

Optional: TCP & UDP 50,000-59,999

4

Required: Lync Mobile push notifications for Lync Mobile 2010 on iOS devices. You don't need this for Android, Nokia Symbian or Windows Phone mobile devices.

client computer | logged on user

*.lync.com

yes

Skype for Business IP ranges.

TCP 5223

5

Required: Skype for Business CDNs

client computer | logged on user

*.azureedge.net
*.sfbassets.com
*.urlp.sfbassets.com
skypemaprdsitus.trafficmanager.net

no

N/A

TCP 80 & 443

6

Required: Skype client quicktips & OWA integration

client computer | logged on user

quicktips.skypeforbusiness.com
swx.cdn.skype.com

no

N/A.

TCP 443

7

Optional: Federation with Skype and public IM connectivity: Contact picture retrieval

client computer | logged on user

*.api.skype.com
*.users.storage.live.com
skypegraph.skype.com

no

SkypeGraph.skype.com IP range information

TCP 443

To use Skype Meeting Broadcast, the following endpoints need to be accessible to client computers.

Row

Purpose

Source |Credentials

Destination

ExpressRoute for Office 365 BGP Communities

CIDR Address

Port

1

Required: Skype for Business endpoints.

see Skype for Business Online and ensure all entries labeled "required" are accessible.

2

Required: Skype Meeting Broadcast presenter and attendee

client computer / logged on user

*.broadcast.skype.com
broadcast.skype.com
browser.pipe.aria.microsoft.com

yes

Skype for Business IP ranges.

TCP 443

3

Required: Skype Meeting Broadcast presenter and attendee

client computer / logged on user

aka.ms
amp.azure.net

no

N/A

TCP 443

4

Required: Skype Meeting Broadcast presenter and attendee (including CDNs)

client computer / logged on user

*.keydelivery.mediaservices.windows.net
*.msecnd.net
*.streaming.mediaservices.windows.net
ajax.aspnetcdn.com
mlccdn.blob.core.windows.net

no

N/A

TCP 443

Note: The wildcard for lync.com and broadcast.skype.com represents a long list of nodes that are exclusively used for Office 365.

Note: ExpressRoute for Office 365 currently does not support IPv6

Skype for Business Online IPv4 endpoints routable through the Internet and ExpressRoute

Skype for Business Online IPv6 endpoints routable through the Internet only

13.67.180.128/32
13.71.127.197/32
13.76.241.210/32
13.78.93.8/32
13.78.94.7/32
13.79.153.60/32
13.91.106.134/32
13.91.252.242/32
13.93.167.93/32
13.95.234.10/32
13.107.3.0/24
13.107.8.0/24
13.107.64.0/18
23.97.78.16/32
23.99.101.118/32
23.99.112.73/32
23.99.113.163/32
23.99.121.38/32
23.101.61.176/32
23.101.112.170/32
23.101.151.89/32
23.103.176.128/26
23.103.176.192/27
23.103.178.128/26
23.103.178.192/27
40.69.45.108/32
40.74.62.125/32
40.76.77.68/32
40.78.98.202/32
40.78.146.128/32
40.83.17.24/32
40.83.124.144/32
40.84.28.125/32
40.113.87.220/32
40.114.149.220/32
40.115.1.44/32
40.117.100.83/32
40.117.145.132/32
40.118.214.164/32
40.118.253.51/32
40.121.200.212/32
40.122.44.96/32
40.123.43.195/32
40.127.129.109/32
40.127.169.165/32
51.140.62.120/32
51.140.79.167/32
51.140.126.38/32
51.141.28.50/32
51.141.42.151/32
51.141.49.0/32
52.112.0.0/14
52.163.225.1/32
52.165.150.215/32
52.166.61.83/32
52.169.154.144/32
52.172.185.18/32
52.173.190.229/32
52.175.37.105/32
52.178.179.194/32
52.178.198.107/32
52.183.117.84/32
52.187.6.119/32
52.187.79.90/32
52.233.128.227/32
65.55.127.0/24
66.119.157.192/26
66.119.158.0/25
104.41.208.54/32
104.44.195.0/24
104.44.200.0/23
104.45.18.178/32
104.45.231.95/32
104.46.62.41/32
104.47.151.128/32
104.208.28.54/32
104.208.31.113/32
104.209.188.207/32
104.210.9.95/32
111.221.76.128/25
111.221.77.0/26
131.253.128.0/19
131.253.160.0/20
137.116.66.252/32
137.116.248.105/32
137.117.128.25/32
168.61.145.101/32
168.63.204.74/32
168.63.245.120/32
207.46.5.0/24
2603:1027::/48
2603:1029:100::/48
2603:1037::/48
2603:1039:100::/48
2603:1047::/48
2603:1049:100::/48
2603:1057::/48
2620:1ec:6::/48 
2620:01ec:0042::/48
2620:1ec:40::/42
2a01:111:2047:2::/64
2a01:111:2047:1::/64
2a01:111:2048:2::/64
2a01:111:2048:1::/64
2a01:111:f406:3406::/64
2a01:111:f406:3405::/64
2a01:111:200f:11::/64
2a01:111:200f:10::/64
2a01:111:2007:3::/64
2a01:111:2007:4::/64
2a01:111:200f:6::/64
2a01:111:200f:7::/64 
2a01:111:200f:8::/64
2a01:111:200f:9::/64
2a01:111:2012:2::/64 
2a01:111:2012:3::/64
2a01:111:2012:4::/64
2a01:111:2012:5::/64
2a01:111:2012:6::/64
2a01:111:2012:7::/64
2a01:111:202a:2::/64
2a01:111:202a:3::/64
2a01:111:202b:3::/64
2a01:111:202b:4::/64
2a01:111:202b:9::/64
2a01:111:202b:a::/64
2a01:111:202f::/48
2a01:111:2034:2::/64
2a01:111:2034:3::/64
2a01:111:2035:6::/64
2a01:111:2035:7::/64
2a01:111:2036:2::/64
2a01:111:2036:3::/64
2a01:111:203e:1::/64
2a01:111:203e:2::/64
2a01:111:2040:1::/64
2a01:111:2040:2::/64
2a01:111:2046:4::/64
2a01:111:2046:5::/64
2a01:111:2a:7::/64
2a01:111:2a:8::/64
2a01:111:f402:5802::/64
2a01:111:f402:5803::/64
2a01:111:f402:5805::/64
2a01:111:f404:0c06::/64
2a01:111:f404:0c07::/64
2a01:111:f404:0c09::/64
2a01:111:f404:0c0a::/64
2a01:111:f404:3400::/64
2a01:111:f404:3401::/64
2a01:111:f404:8002::/64
2a01:111:f404:8003::/64
2a01:111:f404:9400::/64
2a01:111:f404:9401::/64
2a01:111:f404:a000::/64
2a01:111:f404:a001::/64
2a01:111:f404:a800::/64
2a01:111:f404:a801::/64
2a01:111:f404:c0b::/64
2a01:111:f404:c0c::/64
2a01:111:f406:2400::/64
2a01:111:f406:2401::/64
2a01:111:f406:402::/64
2a01:111:f406:403::/64

Wildcards represent regional installations of these services.

Row

Purpose

Source |Credentials

Destination

ExpressRoute for Office 365 BGP Communities

CIDR Address

Port

1

Required: suite-wide services.

see Office 365 required entries for shared services, authentication, and Office Online

2

Required: Microsoft Teams.

Client or Server / logged on user

*.teams.skype.com
*.teams.microsoft.com
teams.microsoft.com

Yes

Microsoft Teams IP ranges.

TCP 80 & 443

3

Required: Microsoft Teams collaboration

Client or Server / logged on user

*.asm.skype.com
*.cc.skype.com
*.conv.skype.com
*.dc.trouter.io
*.msg.skype.com
prod.registrar.skype.com
prod.tpc.skype.com

Yes

Microsoft Teams IP ranges.

TCP 443

4

Required: Microsoft Teams media

Client or Server / logged on user

These IPs are used by media without explicit FQDN mappings.

Yes

13.107.8.0/24
13.107.64.0/18
52.112.0.0/14
104.44.195.0/24
104.44.200.0/23

TCP 443

UDP 3478-3481

5

Required: Microsoft Teams shared services

Client or Server / logged on user

*.config.skype.com
*.pipe.skype.com
*.pipe.aria.microsoft.com
config.edge.skype.com
pipe.skype.com
s-0001.s-msedge.net
s-0004.s-msedge.net
scsinstrument-ss-us.trafficmanager.net
scsquery-ss-us.trafficmanager.net
scsquery-ss-eu.trafficmanager.net
scsquery-ss-asia.trafficmanager.net

Yes

Microsoft Teams IP ranges.

TCP 443

6

Required: Microsoft Teams shared services

Client or Server / logged on user

*.msedge.net
compass-ssl.microsoft.com
feedback.skype.com

No

N/A

TCP 443

7

Required: Microsoft Teams shared services

Client or Server / logged on user

*.secure.skypeassets.com
mlccdnprod.azureedge.net
videoplayercdn.osi.office.net

No

N/A

TCP 443

8

Optional: Messaging interop with Skype for Business

Client or Server / logged on user

*.lync.com
*.infra.lync.com
*.online.lync.com
*.resources.lync.com
*.skypeforbusiness.com

Yes

Skype for Business IP ranges.

TCP 443

9

Optional: Messaging interop with Skype for Business (including CDNs)

Client or Server / logged on user

*.azureedge.net
*.sfbassets.com
latest-swx.cdn.skype.com
skypemaprdsitus.trafficmanager.net
swx.cdn.skype.com

No

N/A

TCP 443

10

Optional: Skype Graph

Client or Server / logged on user

skypegraph.skype.com

No

SkypeGraph.skype.com IP range information

TCP 443

11

Optional: Microsoft Teams third-party integrations

Client or Server / logged on user

*.giphy.com

No

N/A

TCP 443

Microsoft Teams IPv4 endpoints routable through the Internet and ExpressRoute

Microsoft Teams IPv6 endpoints routable through the Internet only

13.67.180.128/32
13.71.127.197/32
13.76.241.210/32
13.78.93.8/32
13.78.94.7/32
13.78.95.252/32
13.78.112.190/32
13.79.153.60/32
13.91.106.134/32
13.91.252.242/32
13.95.234.10/32
13.107.3.0/24
13.107.8.0/24
13.107.64.0/18
23.97.78.16/32
23.99.101.118/32
23.99.112.73/32
23.99.113.163/32
23.99.121.38/32
23.101.61.176/32
23.101.112.170/32
23.101.151.89/32
40.69.45.108/32
40.74.62.125/32
40.76.77.68/32
40.78.98.202/32
40.78.146.128/32
40.83.17.24/32
40.83.124.144/32
40.84.28.125/32
40.113.87.220/32
40.114.149.220/32
40.115.1.44/32
40.117.100.83/32
40.117.145.132/32
40.118.214.164/32
40.118.253.51/32
40.122.44.96/32
40.123.43.195/32
40.127.129.109/32
40.127.169.165/32
51.140.62.120/32
51.140.79.167/32
51.140.126.38/32
51.141.28.50/32
51.141.42.151/32
51.141.49.0/32
52.112.0.0/14
52.163.225.1/32
52.165.150.215/32
52.166.61.83/32
52.172.185.18/32
52.175.37.105/32
52.178.179.194/32
52.178.198.107/32
52.183.117.84/32
52.187.79.90/32
104.41.208.54/32
104.44.195.0/24
104.44.200.0/23
104.45.18.178/32
104.45.231.95/32
104.46.62.41/32
104.47.151.128/32
104.208.28.54/32
104.208.31.113/32
104.209.188.207/32
104.210.9.95/32
137.116.66.252/32
137.116.248.105/32
137.117.128.25/32
168.61.145.101/32
168.63.245.120/32
2603:1027::/48
2603:1029:100::/48
2603:1037::/48
2603:1039:100::/48
2603:1047::/48
2603:1049:100::/48
2603:1057::/48
2620:1ec:6::/48
2620:1ec:40::/42
2a01:111:202f::/48

SharePoint Online and OneDrive for Business

To use SharePoint Online or OneDrive for Business, you must be able to connect to the endpoints marked required below. If your organization uses Exchange Hybrid, Delve, or is migrating email to Office 365, you'll find the associated endpoints below.

Row

These optional and required endpoints are for the following purposes

Destination

CDN

ExpressRoute for Office 365

Destination IP

4

Required: SharePoint Online and associated applications

*.sharepoint.com

<tenant>.sharepoint.com1

<tenant>-my.sharepoint.com1

<tenant>-files.sharepoint.com1

<tenant>-myfiles.sharepoint.com1

*.svc.ms

No

Yes

SharePoint Online IP Ranges.

5

Required: CDNs for SharePoint Online and associated applications

*.sharepointonline.com

cdn.sharepointonline.com

Static.sharepointonline.com

prod.msocdn.com

spoprod-a.akamaihd.net

publiccdn.sharepointonline.com

privatecdn.sharepointonline.com

Microsoft & Akamai

No

N/A

6

Required: OneDrive for Business admin

admin.onedrive.com

No

No

N/A

7

Required: OneDrive for Business update verification and download

oneclient.sfx.ms

Akamai

No

N/A

8

Required: OneDrive for Business: Determines consumer v commercial

https://officeclient.microsoft.com/config16

http://odc.officeapps.live.com/odc/emailhrd

No

No

N/A

9

Required: OneDrive for Business: Oauth login with AAD

login.microsoftonline.com

No

Yes

N/A

10

Required: Client push notification

wns.windows.com

No

No

N/A

11

Optional: OneDrive for Business: supportability and telemetry

ssw.live.com

mobile.pipe.aria.microsoft.com

watson.telemetry.microsoft.com

No

No

N/A

12

Optional: OneDrive for Business: Office integration

nexus.officeapps.live.com

No

No

N/A

13

Optional: APIs to allow users to get help and retrieve logs to diagnose.

storage.live.com/clientLogs

storage.live.com/sendFeedback

No

No

N/A

14

Optional: embedded email links

click.email.microsoftonline.com

No

No

N/A

15

Optional: SharePoint Hybrid Search - Endpoint to SearchContentService where the hybrid crawler feeds documents

The crawler on the on-prem SP authenticates to SCS as the tenant that does the feeding.

*.search.production.us.trafficmanager.net

*.search.production.emea.trafficmanager.net

*.search.production.apac.trafficmanager.net

No

No

N/A

16

Optional: SharePoint Hybrid Search - Endpoint to SearchContentService to successfully authenticate to remote farm with OAuth authentication and authorization. The authorization server in this scenario is Microsoft Azure Access Control Service (ACS).

The Host Controller/Node Runner Account on the on-prem SP server.

accounts.accesscontrol.windows.net

No

No

N/A

17

Optional: SharePoint Hybrid Search - Required for onboarding script to connect to Office 365 Provisioning Web Services. As a part of script execution adds the Office 365 Service Principal ID to the local farm and sets the correct Service Principal Name in Azure AD for the on-premises URL. This ensures that the outbound query federation can occur between the Office 365 tenant and the on-premises farm

Global admin or equivalent credentials on the tenant for which Hybrid Search is being configured

provisioningapi.microsoftonline.com

No

Yes

N/A

1 This FQDN needs to be in your client's IE Trusted Sites Zone for Explorer View to function.

Note: ExpressRoute for Office 365 currently does not support IPv6. Customers not using ExpressRoute will want to ensure both IP lists below are reachable over the internet.

SharePoint Online IPv4 endpoints routable through the Internet and ExpressRoute

SharePoint Online IPv6 endpoints routable through the Internet only

13.107.6.150/31
13.107.6.168/32
13.107.9.150/31
13.107.9.168/32
40.108.0.0/19
40.108.128.0/17
52.104.0.0/14
104.146.0.0/19
104.146.128.0/17
134.170.200.0/21
134.170.208.0/21
191.232.0.0/23
191.235.0.0/20
2620:1ec:a92::150/128
2620:1ec:4::150/128
2620:1ec:6::129/128
2a01:111:f402::/48
2801:80:1d0:1400::/54

Additional Office 365 services

Row

These optional and required endpoints are for the following purposes

Destination

CDN

ExpressRoute for Office 365

Destination IP

4

Required: Office 365 Video

*.keydelivery.mediaservices.windows.net

*.streaming.mediaservices.windows.net

Azure Media Services

Uses Azure Media Services 1

N/A

5

Required: Office 365 Video

ajax.aspnetcdn.com

Yes

No

N/A

6

Required: Office 365 Video

r3.res.outlook.com

Akamai

No

N/A

7

Required: Office 365 Video

spoprod-a.akamaihd.net

Akamai

No

N/A

8

Required: Microsoft Stream

web.microsoftstream.com

*.cloudapp.net

api.microsoftstream.com

*.api.microsoftstream.com

*.api.microsoftstream.com

*.notification.api.microsoftstream.com

https://amp.azure.net/libs/amp/

https://web.localytics.com/v3/localytics.js

https://az416426.vo.msecnd.net/scripts/a/ai.0.js

https://s0.assets-yammer.com/assets/platform_social_buttons.min.js

https://vortex.data.microsoft.com/collect/v1

No

No

N/A

*.streaming.mediaservices.windows.net

Azure Media Services

Uses Azure Media Services 1

9

Required: Microsoft Stream

https://assets.onestore.ms/cdnfiles/external/mwf/long/v1/v1.4.0/css/mwf-{language}-default.min.css

https://amsglob0cdnstream11.azureedge.net

Yes

No

N/A

10

Optional: Microsoft Stream

https://nps.onyx.azure.net

https://cdn.optimizely.com/js/

N/A

No

N/A

1 See additional information about supported services over Azure ExpressRoute and the Public peering path.

Row

These optional and required endpoints are for the following purposes

Destination

CDN

ExpressRoute for Office 365

Destination IP

3

Required: Yammer

*.yammer.com1

*.yammerusercontent.com1

No

No

Yammer IP Ranges.

4

Required: Yammer

*.assets-yammer.com1

Varies

No

N/A

1 This FQDN needs to be in your client's IE Trusted Sites Zone to function.

Note: The wildcard for yammer.com represents a long list of nodes that are exclusively used for Office 365.

Yammer IPv4 endpoints routable through the Internet only

13.107.6.158/31
13.107.9.158/31
40.78.62.210/32
134.170.148.0/22

Row

These optional and required endpoints are for the following purposes

Destination

CDN

ExpressRoute for Office 365

Destination IP

3

Required: Sway

sway.com

www.sway.com

eus-www.sway.com

eus-000.www.sway.com

eus-001.www.sway.com

eus-002.www.sway.com

eus-003.www.sway.com

eus-004.www.sway.com

eus-005.www.sway.com

eus-006.www.sway.com

eus-007.www.sway.com

eus-008.www.sway.com

eus-009.www.sway.com

eus-00a.www.sway.com

eus-00b.www.sway.com

eus-00c.www.sway.com

eus-00d.www.sway.com

eus-00e.www.sway.com

wus-www.sway.com

wus-000.www.sway.com

wus-001.www.sway.com

wus-002.www.sway.com

wus-003.www.sway.com

wus-004.www.sway.com

wus-005.www.sway.com

wus-006.www.sway.com

wus-007.www.sway.com

wus-008.www.sway.com

wus-009.www.sway.com

wus-00a.www.sway.com

wus-00b.www.sway.com

wus-00c.www.sway.com

wus-00d.www.sway.com

wus-00e.www.sway.com

No

No

Sway IP Ranges.

4

Required: Sway

eus-www.sway-cdn.com

wus-www.sway-cdn.com

eus-www.sway-extensions.com

wus-www.sway-extensions.com

Akamai

No

N/A

5

Optional: Sway website analytics

c.microsoft.com c1.microsoft.com

prod.msocdn.com

www.google-analytics.com

No

No

N/A

6

Optional: Sway third party content

Access to third party content such as Bing, Flickr, and so on.

No

No

N/A

Sway IPv4 endpoints routable through the Internet only

40.76.22.51/32
40.76.30.255/32
40.76.213.143/32
40.76.216.125/32
40.76.221.181/32
40.76.222.175/32
40.83.185.108/32
40.114.8.214/32
40.114.14.121/32
40.114.15.127/32
40.114.15.142/32
40.114.45.182/32
40.114.40.12/32
40.114.51.204/32
40.114.51.239/32
40.118.210.94/32
40.112.188.120/32
40.118.131.134/32
40.118.135.86/32
40.118.131.27/32
40.118.209.10/32
104.41.155.129/32
104.210.43.160/32
137.135.51.71/32
137.135.52.204/32
138.91.155.70/32
138.91.159.117/32
138.91.160.172/32
138.91.164.243/32
138.91.245.66/32

Row

These optional and required endpoints are for the following purposes

Destination

CDN

ExpressRoute for Office 365

Destination IP

3

Required: Planner

tasks.office.com

controls.office.com

cus-000.tasks.osi.office.net

ea-000.tasks.osi.office.net

eus-zzz.tasks.osi.office.net

neu-000.tasks.osi.office.net

sea-000.tasks.osi.office.net

weu-000.tasks.osi.office.net

wus-000.tasks.osi.office.net

No

No

Planner IP Ranges.

6

Required: Planner CDNs

ajax.aspnetcdn.com

prod.msocdn.com

Akamai

No

N/A

Planner IPv4 endpoints routable through the Internet only

13.107.6.160/32
13.107.9.160/32
23.97.56.236/32
23.97.78.215/32
40.76.80.180/32
40.112.223.206/32
40.127.139.229/32
104.40.214.0/32
104.43.235.252/32

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Remote Connectivity Analyzer - Initiate connectivity tests.

Web Browser | Logged on user

testconnectivity.microsoft.com

No

No

                  
                

TCP 80 & 443

2

Required: Remote Connectivity Analyzer - Captcha & support services

Web Browser | Logged on user

client.hip.live.com

wu.client.hip.live.com

support.microsoft.com

No

No

N/A

TCP 80 & 443

3

Required: Remote Connectivity Analyzer - Execution of the tests selected by the customer.

testconnectivity.microsoft.com | Provided by customer on the testconnectivity website

On-premises systems for email and collaboration.

No

No

Customer IP ranges

80, 443, 25, POP3 on (110, 995, or Custom), IMAP4 on (143, 993, or Custom)

4

Required: Certificate revocation lists

Web Browser | Logged on user

See well known certificate root CRLs.

No

No

N/A

TCP 80 & 443

5

Required: Microsoft Support and Recover Assistant for Office 365 - Validate single sign-on user credentials.

o365diagnosticsbasic-eus.cloudapp.net (104.211.54.99)

o365diagnosticworker-eus.cloudapp.net (104.211.54.134)

On-premises STS

No

No

Customer IP ranges

Customer configurable. Typically TCP 443

Office clients

Office clients include both desktop and mobile clients, the online endpoints these applications use to improve the product experience are detailed below.

To understand Office 2016 for Mac endpoint requirements, refer to our reference article Network requests in Office 2016 for Mac.

To understand Office client network requests including, Office 365 ProPlus, Office 2016 for Windows, Outlook App for iOS and Windows, and OneNote refer to the article Network requests in Office 365 ProPlus.

Here’s a short link you can use to come back: https://aka.ms/o365endpoints

Related Topics

Network connectivity to Office 365
Managing Office 365 endpoints
Troubleshooting Office 365 connectivity
Client connectivity
Content delivery networks

Expand your skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×