Managing Office 365 endpoints

Some networks are designed to restrict access to the internet, to ensure computers on networks like these can access Office 365, the network and proxy administrators need to manage the list of FQDNs, URLs, and IP addresses that make up the list of Office 365 endpoints. These need to be added to proxy or firewall rules and PAC files to ensure network requests are able to reach Office 365.

When you make a connection from one computer to another, the computer requesting the connection needs two pieces of information, the address and the port. The address might be an IPv4 or IPv6 formatted network address and the port is typically a TCP or UDP port. The combination of address and port are referred to as the endpoint. Your client software automatically looks up these endpoints using pre-programmed information, public Domain Name Services (DNS), and information you've configured. When the request is made, it must leave your network and reach the Microsoft network without anything getting in the way. Some customers have configured their network to scan, filter, or block outbound network requests like these. The remainder of this article is focused on our recommendations for those customers who need to change their configuration to allow client computers to reach the Office 365 endpoints.

Bypass a proxy or intermediary device involves choosing to send some network requests through an intermediary device, such as a proxy and bypass the proxy for other network requests, sending them directly through a firewall.

Allow list maintenance involves ensuring allow lists that allow inbound and outbound traffic through a firewall are up to date with the latest set of endpoints coming from Microsoft and is used when you who need to add Office 365 endpoints to an allow list on their firewall or proxy.

The Office 365 endpoints are not designed to be used in the following ways.

  • Determine tenant placement. Specific datacenter placement is determined by a variety of factors including sovereignty requirements, place of business, availability, and so on.

  • Determine peering locations. The Office 365 endpoints are a small subset of the global Microsoft network. There are other articles that help you understand peering with Microsoft.

  • Build a list of accepted routes available on your ExpressRoute circuit. Use the full set of Microsoft’s IP ranges to determine the ranges owned by Microsoft or BGP communities to filter for specific Office 365 services.

  • Build a service or application that relies on the endpoints without human intervention. All automation should include validation by experienced professionals.

Caution: We don’t recommend using the Office 365 IP addresses to determine which routes are accepted over ExpressRoute. Use the full set of Microsoft’s IP ranges instead.

Update 12/8/2016: Expect changes three business days prior to the last business day of the month. Earlier this month we had two changes outside of the normal course of business, a new release for Microsoft Teams and an emergency change for Exchange Online Protection. These remain outside of the course of business and you should expect updates to continue publishing on the monthly cadence for normal changes.

Bypass a proxy or intermediary device

If your network is designed with the internet and internal network destination paradigms, your egress infrastructure may not be optimal for adding the third, trusted SaaS network destination. The following solution demonstrates the practice of directing Office 365 network requests for Proxy bypass or ExpressRoute decisions. Your network analysis will determine if you should intervene with your default routing configuration to direct some network requests to a proxy or to bypass a proxy or intermediary device.

  1. Use a PAC file to determine what network traffic will be sent to a proxy and which will be sent to a firewall.

    • A PAC file is a JavaScript construct that tells the browser where to send URL requests.

    • If you’re new to PAC files, read this post about deploying PAC files from one of our Office 365 consultants.

  2. Use the Office 365 endpoints to build your PAC file. See the example files below or use the tool built by a member of the Office 365 community. Here are the instructions and the download.

  3. Use your network analysis to determine which network requests should bypass your proxy infrastructure. The most common FQDNs used to bypass customer proxies include the following due to the volume of network traffic sent and received from these endpoints.

    • outlook.office365.com

    • outlook.office.com

    • <tenant-name>.sharepoint.com

    • <tenant-name>-my.sharepoint.com

    • <tenant-name>-<app>.sharepoint.com

    • *.Lync.com

  4. Ensure any network requests being sent to your firewall directly have a corresponding entry in the firewall allow list to allow the request to go through.

  5. If you use a tool to generate a PAC file, you can schedule the tool to run and direct the output to a network location, then point a group policy or WPAD (Web Proxy Autodiscover Protocol) discovery to this output.

Note: If you’re using a PAC file to send network requests to ExpressRoute advertised endpoints direct and everything else through a proxy, read the section Deciding which applications and features route over ExpressRoute for additional information.

Allow list maintenance

If your policy for trusted SaaS offerings such as Office 365 includes implementing allow lists on your firewall or other device, this scenario walks through that process. If you’re building a new set of allow lists, it’s important to use the HTML based website to review the purpose of each endpoint in the context of the services you’re using. It is also important to use the FQDNs where possible.

If you’re performing ongoing maintenance, the RSS feed provides both a change history and a notification mechanism for when changes are coming. Either the RSS feed or XML file are going to provide the operational information you need for most changes.

  1. Determine which services your organization is going to use and what the associated endpoints are associated with those services.

    • The endpoints marked required are needed to use the core features of the service.

    • The endpoints marked optional are associated with features that some customers use on top of the basic features.

  2. Use FQDNs where possible to reduce the overhead of maintaining ongoing IP address changes.

  3. Recognize all services require the use of some 3rd party services where an IP address is unavailable, including:

    • Public DNS providers

    • Certificate Revocation Lists

    • Content Delivery Networks

  4. Automate your process by using a firewall that parses the XML file and includes all of the endpoints or use the Azure Range tool that has been built by the community and parses the XML for you with export options for Cisco XE Route or ACL list configuration, plain text, or CSV.

Note: If you see network traffic associated with Office 365 destined for a Microsoft owned IP address that is not on the Office 365 endpoints list it is likely a shared content delivery network or similar service. Refer to the related articles to get more information on the IP addresses Microsoft uses.

Further reading

Determining the endpoints you'll need to access can be daunting when looking at the hundreds of FQDNs and IP ranges that make up the entire Office 365 suite. If you're not going to use one of the automated solutions mentioned above, the following sections will help you understand what all the columns and rows mean in the Office 365 endpoint article and will give you example PAC files that you can use or modify for your organization.

We regularly add new features and services to the Office 365 suite, expanding the connectivity landscape. If you’re subscribed to the E3 or E5 SKU, the simple way to think about the list of endpoints is that you need all of them to get full functionality for the suite. If you aren’t subscribed to either of these SKUs the difference is minimal in terms of the number of endpoints.

In the image below you can see an example from a portion of the FQDN table in the Office Online section. The rows are organized by feature and differences in connectivity. The first two rows indicate Office Online relies on the endpoints marked Required in the Office 365 Authentication and Identity and portal and shared sections. This is typical for a service within Office 365 to rely on these shared services. The third row indicates client computers must be able to reach *.officeapps.live.com to use Office Online and the fourth row indicates computers must also be able to reach *.cdn.office.net to use Office Online.

Even though both row three and four are required to use Office Online, they’ve been separated to indicate the destination is different:

  1. *.officeapps.live.com does not represent a CDN, meaning requests to this namespace will go directly to a Microsoft datacenter.

  2. *.officeapps.live.com is accessible on ExpressRoute circuits using Microsoft Peering.

  3. The IP addresses associated with Office Online and *.officeapps.live.com can be found by following this link.

  4. *.cdn.office.net represents a CDN hosted by Akamai, meaning requests to this namespace will go to an Akamai datacenter.

  5. *.cdn.office.net is not accessible on ExpressRoute circuits.

  6. The IP addresses associated with Office Online and *.cdn.office.net are not available.

Screen capture of endpoints page

After you subscribe to the RSS feed, you can parse the information yourself or with a script. The following table describes the format of the RSS feed o make it easier.

Section

Part 1

Part 2

Part 3

Part 4

Part 5

Description

Count

Date after which you can expect network requests to be sent to the endpoint.

Basic description of the feature or service that requires the endpoint.

Can you connect to this endpoint on an ExpressRoute Circuit in addition to the internet?

Yes - you can connect to this endpoint on both the internet and ExpressRoute.

No - you can only connect to this endpoint on the internet.

The destination FQDN or IP range being added or removed.

Example

1/

[Effective xx/xx/xxx.

Required: <description>.

ExpressRoute:

<Yes/No>.

<FQDN/IP>],

A couple other things to note, every entry has a common set of delimiters:

  • / - after the count

  • [ - to indicate the entry for the count

  • . - used in between each distinct section of the entry

  • ], - to indicate the end of a single entry

  • ]. - To indicate the end of all the entries

The following examples are designed to help you in constructing a PAC file of your own. These two have been created using the current list of Office 365 endpoints. The first example demonstrates sending network requests that are not supported over ExpressRoute to a proxy infrastructure and sending network requests that are supported over ExpressRoute directly to the circuit.

Code snippet:

//November 2016 Update - Consolidated FQDNs required to access Office 365 via ExpressRoute. All other traffic sent to a proxy in this example
//Every Effort is made to ensure 100% accuracy but this PAC should be used as an example and cross-checked with your needs and the Office 365 URL & IP page

function FindProxyForURL(url, host)
{
// Define proxy server
var proxyserver = "PROXY 10.10.10.10:8080";
// Make host lowercase
var lhost = host.toLowerCase();
host = lhost;
//SUB-FQDNs of ExpressRoutable wildcards which need to be explicitly sent to the proxy at the top of the PAC because they arent ER routable
	if ((shExpMatch(host, "*.click.email.microsoftonline.com"))
        || (shExpMatch(host, "*.portal.microsoftonline.com"))				
        || (shExpMatch(host, "*.infra.lync.com"))	
        || (shExpMatch(host, "provisioningapi.microsoftonline.com")))
{
return proxyserver;
}
//EXPRESS ROUTE DIRECT
else if ((isPlainHostName(host))
        || (shExpMatch(host, "*broadcast.officeapps.live.com"))
        || (shExpMatch(host, "*.domains.live.com"))
        || (shExpMatch(host, "*excel.officeapps.live.com"))
        || (shExpMatch(host, "*.lync.com"))	
        || (shExpMatch(host, "*.microsoftonline.com"))
        || (shExpMatch(host, "*onenote.officeapps.live.com"))
        || (shExpMatch(host, "*.outlook.office.com"))
        || (shExpMatch(host, "*powerpoint.officeapps.live.com"))
        || (shExpMatch(host, "*.protection.outlook.com"))      							
        || (shExpMatch(host, "*.sharepoint.com"))
        || (shExpMatch(host, "*.sharepoint-mil.us"))
        || (shExpMatch(host, "*.svc.ms"))    
        || (shExpMatch(host, "*view.officeapps.live.com"))                                 
        || (shExpMatch(host, "*visio.officeapps.live.com"))
        || (shExpMatch(host, "*word-view.officeapps.live.com"))
        || (shExpMatch(host, "*word-edit.officeapps.live.com"))	
        || (shExpMatch(host, "*autodiscover-*.outlook.com"))				
        || (shExpMatch(host, "a.config.skype.com"))
        || (shExpMatch(host, "b.config.skype.com"))
        || (shExpMatch(host, "accounts.office.net"))
        || (shExpMatch(host, "accountservices.microsoftonline-p.net"))	
        || (shExpMatch(host, "agent.office.net"))  
        || (shExpMatch(host, "clientconfig.microsoftonline-p.net"))
        || (shExpMatch(host, "config.edge.skype.com"))
        || (shExpMatch(host, "delve.office.com"))
        || (shExpMatch(host, "domains.live.com")) 
        || (shExpMatch(host, "hip.microsoftonline-p.net"))
        || (shExpMatch(host, "home.office.com"))
        || (shExpMatch(host, "login.microsoftonline-p.net"))				
        || (shExpMatch(host, "login.windows.net"))						
        || (shExpMatch(host, "login.microsoft.com"))
        || (shExpMatch(host, "nexus.microsoftonline-p.net"))
        || (shExpMatch(host, "outlook.office365.com"))	
        || (shExpMatch(host, "portal.office.com"))
        || (shExpMatch(host, "smtp.office365.com"))    
        || (shExpMatch(host, "www.outlook.com"))   						
        || (shExpMatch(host, "www.office.com")))
{
	return "DIRECT";
}

// If Azure public peering is available the following can be added to the Expressroute section above and sent direct via ER. If not these can be sent via the internet i.e delete them from the PAC file.
//*.streaming.mediaservices.windows.net
//*.keydelivery.mediaservices.windows.net
//office365servicehealthcommunications.cloudapp.net
//protection.office.com
//*.blob.core.windows.net
//office365zoom.cloudapp.net
//equivioprod*.cloudapp.net
//zoom-cs-prod*.cloudapp.net
//equivio.office.com
//compliance.outlook.com
//management.azure.com
//*.blob.core.windows.net
//*.queue.core.windows.net
//*.servicebus.windows.net - Port: 5671 (If 5671 is blocked, agent falls back to 443, but using 5671 is recommended.)
//*.adhybridhealth.azure.com
//*.table.core.windows.net
//policykeyservice.dc.ad.msft.net
//secure.aadcdn.microsoftonline-p.com
//hybridconfiguration.azurewebsites.net
//*.hybridconfiguration.azurewebsites.net
//mshrcstorageprod.blob.core.windows.net

//Catchall for all other traffic to proxy
else
{
return proxyserver;
}
}

The second example demonstrates sending all network requests not associated with a published IP address to a proxy infrastructure and sending all network requests where the destination includes a published IP address directly to the Microsoft network.

Code snippet:

//November 2016 Update - Consolidated FQDNs required to access Office 365 - All services including optional components covered and elements covered under wildcards removed. 
//Includes Core ProPlus URLs but not Office Mobile/IPAD/IOS/ANDROID fqdns from https://support.office.com/en-gb/article/Network-requests-in-Office-365-ProPlus-eb73fcd1-ca88-4d02-a74b-2dd3a9f3364d
//Every Effort is made to ensure 100% accuracy but this PAC should be used as an example and cross-checked with your needs and the Office 365 URL & IP page


function FindProxyForURL(url, host)
{
    // Define proxy server
    var proxyserver = "PROXY 10.10.10.10:8080";
    // Make host lowercase
    var lhost = host.toLowerCase();
    host = lhost;

    if ((shExpMatch(host, "*.adhybridhealth.azure.com"))
        || (shExpMatch(host, "*.api.skype.com"))
        || (shExpMatch(host, "*.asm.skype.com"))     
        || (shExpMatch(host, "*.assets-yammer.com"))     
        || (shExpMatch(host, "*broadcast.officeapps.live.com"))                      
        || (shExpMatch(host, "*.broadcast.skype.com"))
        || (shExpMatch(host, "*.cc.skype.com")) 
        || (shExpMatch(host, "*.cdn.skype.com")) 	
        || (shExpMatch(host, "*.cloudfront.net"))
        || (shExpMatch(host, "*.config.skype.com")) 
        || (shExpMatch(host, "*.conv.skype.com"))
        || (shExpMatch(host, "*.dps.mil"))  
        || (shExpMatch(host, "*excel.officeapps.live.com"))	
        || (shExpMatch(host, "*.feedback.skype.com")) 	
        || (shExpMatch(host, "*.giphy.com")) 			
        || (shExpMatch(host, "*.hybridconfiguration.azurewebsites.net"))				
        || (shExpMatch(host, "*.live.com"))	
        || (shExpMatch(host, "*.lync.com"))
        || (shExpMatch(host, "*.microsoft.com"))				
        || (shExpMatch(host, "*.microsoftonline.com"))
        || (shExpMatch(host, "*.microsoftonline-p.com"))	
        || (shExpMatch(host, "*.microsoftonline-p.net"))
        || (shExpMatch(host, "*.msecnd.net"))	
        || (shExpMatch(host, "*.msedge.net"))
        || (shExpMatch(host, "*.msg.skype.com")) 					
        || (shExpMatch(host, "*.msocdn.com"))				
        || (shExpMatch(host, "*.office365.com"))
        || (shExpMatch(host, "*onenote.officeapps.live.com"))	
        || (shExpMatch(host, "*.onmicrosoft.com"))
        || (shExpMatch(host, "*.office.com"))	
        || (shExpMatch(host, "*.office.net"))	
        || (shExpMatch(host, "*.onenote.com"))				
        || (shExpMatch(host, "*.outlook.com"))	
        || (shExpMatch(host, "*.pipe.skype.com")) 			
        || (shExpMatch(host, "*.portal.cloudappsecurity.com"))
        || (shExpMatch(host, "*powerpoint.officeapps.live.com"))
        || (shExpMatch(host, "*.trouter.io")) 
        || (shExpMatch(host, "*.search.production.us.trafficmanager.net"))
        || (shExpMatch(host, "*.search.production.emea.trafficmanager.net"))
        || (shExpMatch(host, "*.search.production.apac.trafficmanager.net"))
        || (shExpMatch(host, "*.search.msit.us.trafficmanager.net"))
        || (shExpMatch(host, "*.sharepointonline.com"))
        || (shExpMatch(host, "*.sharepoint.com"))
        || (shExpMatch(host, "*.sharepoint-mil.us"))	
        || (shExpMatch(host, "*.sway.com"))
        || (shExpMatch(host, "*.teams.skype.com"))
        || (shExpMatch(host, "*visio.officeapps.live.com"))	 				
        || (shExpMatch(host, "*.windows.net"))	
        || (shExpMatch(host, "*word-edit.officeapps.live.com"))	
        || (shExpMatch(host, "*word-view.officeapps.live.com"))	
        || (shExpMatch(host, "*.yammer.com"))	
        || (shExpMatch(host, "*.yammerusercontent.com"))        
        || (shExpMatch(host, "account.activedirectory.windowsazure.com"))
        || (shExpMatch(host, "ad.atdmt.com"))
        || (shExpMatch(host, "ajax.googleapis.com"))
        || (shExpMatch(host, "aka.ms"))	
        || (shExpMatch(host, "ajax.aspnetcdn.com"))
        || (shExpMatch(host, "amp.azure.net"))	
        || (shExpMatch(host, "apis.live.net"))
        || (shExpMatch(host, "assets.onestore.ms"))
        || (shExpMatch(host, "auth.gfx.ms"))
        || (shExpMatch(host, "a.config.skype.com"))
        || (shExpMatch(host, "b.config.skype.com"))
        || (shExpMatch(host, "cdn.onenote.net"))
        || (shExpMatch(host, "cdn.optimizely.com"))
        || (shExpMatch(host, "config.edge.skype.com"))
        || (shExpMatch(host, "connect.facebook.net"))	
        || (shExpMatch(host, "dc.services.visualstudio.com"))	
        || (shExpMatch(host, "equivioprod*.cloudapp.net"))  
        || (shExpMatch(host, "emails.teams.skype.net"))	
        || (shExpMatch(host, "eus-www.sway-cdn.com"))	
        || (shExpMatch(host, "eus-www.sway-extensions.com"))
        || (shExpMatch(host, "firstpartyapps.oaspapps.com"))	
        || (shExpMatch(host, "graph.skype.com"))
        || (shExpMatch(host, "liverdcxstorage.blob.core.windowsazure.com"))					
        || (shExpMatch(host, "management.azure.com"))
        || (shExpMatch(host, "mem.gfx.ms"))
        || (shExpMatch(host, "nexus.officeapps.live.com"))
        || (shExpMatch(host, "nexusrules.officeapps.live.com"))
        || (shExpMatch(host, "odc.officeapps.live.com"))
        || (shExpMatch(host, "office365servicehealthcommunications.cloudapp.net"))	
        || (shExpMatch(host, "office365zoom.cloudapp.net"))
        || (shExpMatch(host, "officecdn.microsoft.com.edgesuite.net"))
        || (shExpMatch(host, "officecdn.microsoft.com.edgekey.net"))
        || (shExpMatch(host, "oneclient.sfx.ms"))
        || (shExpMatch(host, "pipe.skype.com"))	
        || (shExpMatch(host, "platform.linkedin.com"))										
        || (shExpMatch(host, "policykeyservice.dc.ad.msft.net"))
        || (shExpMatch(host, "prod.firstpartyapps.oaspapps.com.akadns.net"))				
        || (shExpMatch(host, "prod.registrar.skype.com")) 
        || (shExpMatch(host, "prod.tpc.skype.com")) 
      	 || (shExpMatch(host, "quicktips.skypeforbusiness.com"))
        || (shExpMatch(host, "s.ytimg.com"))
        || (shExpMatch(host, "s-0001.s-msedge.net")) 
        || (shExpMatch(host, "s-0002.s-msedge.net")) 
        || (shExpMatch(host, "scsquery-ss-us.trafficmanager.net")) 
        || (shExpMatch(host, "scsquery-ss-eu.trafficmanager.net")) 
        || (shExpMatch(host, "scsquery-ss-asia.trafficmanager.net")) 
        || (shExpMatch(host, "skypemaprdsitus.trafficmanager.net"))
        || (shExpMatch(host, "spoprod-a.akamaihd.net"))				
        || (shExpMatch(host, "swx.cdn.skype.com"))			
        || (shExpMatch(host, "telemetry.remoteapp.windowsazure.com"))	
        || (shExpMatch(host, "telemetryservice.firstpartyapps.oaspapps.com"))
        || (shExpMatch(host, "wus-www.sway-cdn.com"))						
        || (shExpMatch(host, "wus-www.sway-extensions.com"))
        || (shExpMatch(host, "wns.windows.com"))
        || (shExpMatch(host, "wus-firstpartyapps.oaspapps.com"))
        || (shExpMatch(host, "www.onedrive.com"))
        || (shExpMatch(host, "www.google-analytics.com"))
        || (shExpMatch(host, "www.remoteapp.windowsazure.com"))
        || (shExpMatch(host, "zoom-cs-prod*.cloudapp.net")))
    {
return proxyserver;
}

//Catchall for all other traffic to another proxy

else return "PROXY 10.10.10.11:8080";
}

If the recommended solutions above don't fit your needs, there are a few more tools you can use to customize your own configuration. The XML file can be parsed by a variety of methods, a simple comparison against the last version of the file will give you the net changes to make. It's important to note that all additions and removals have an effective date that is usually 30+ days after the publishing date.

Several community members have built tools that you can leverage to build a custom solution. None of the community tools referenced in this article are officially supported or maintained by Microsoft and are provided here for your convenience.

See Also

Microsoft Dynamics CRM Online IP Address Ranges

Microsoft Azure Datacenter IP Ranges

Microsoft Public IP Space

Network infrastructure requirements for Microsoft Intune

Power BI and ExpressRoute

Office 365 URLs and IP address ranges

Troubleshooting Office 365 connectivity

Managing ExpressRoute for Office 365 connectivity

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×