Office 365 Germany endpoints

Summary   : If your organization uses Office 365 and restricts computers on your network from connecting to the Internet, below you'll find the endpoints (FQDNs, Ports, URLs, IPv4, and IPv6 address ranges) that you should include in your outbound allow lists to ensure your computers can successfully use Office 365.

Office 365 endpoints: Worldwide | Office 365 operated by 21 Vianet | US Government Defense | Office 365 Germany

Last updated: 1/24/2017

Office 365 requires internet connectivity from every computer connecting to the service.

If you're configuring access from your network to Office 365, managing Office 365 endpoints describes how to manage your firewall and proxy settings with scripts and sample PAC files.

If you're troubleshooting access to Office 365, troubleshooting Office 365 connectivity describes how to troubleshoot endpoints found in your network traces or firewall logs.

Content delivery networks and client connectivity offer more insight into how clients connect to Office 365 and how standard internet services are incorporated.

Warning: IP addresses filtering alone isn’t a complete solution due to dependencies on internet based services such as Domain Name Services, Content Delivery Networks (CDNs), Certificate Revocation Lists, and other third party or dynamic services. These dependencies include dependencies on other Microsoft services such as the Azure Content Delivery Network and will result in network traces or firewall logs indicating connections to IP addresses owned by third parties or Microsoft but not listed on this page. These unlisted IP addresses, whether from third party or Microsoft owned CDN and DNS services are dynamically assigned and can change at any time.

  • Some clients such as the Office 365 admin portal or Outlook Web App won’t be able to authenticate without contacting CDNs.

  • CDN, CRL, and other partners don't publish IP addresses.

  • New Office 365 infrastructure won’t become instantly available to client computers.

  • Some firewall providers and security policies don't allow for wildcards.

  • Updates will be required as frequently as weekly for both planned and emergency changes.

  • Future non-web based clients may not be able to authenticate.

Tip: If IP address filtering is your only option at the firewall, an automatic proxy configuration file can be used to route the destinations marked below as CDNs through an alternate path, such as through an outbound proxy. See the Routing office 365 traffic over the internet and ExpressRoute scenario in the article Routing with ExpressRoute for Office 365 for help with more complex routing configurations.

Every Office 365 service requires the endpoints in the Office 365 portal and shared as well as the Office 365 authentication and identity to function. Beyond that you'll need to select the services you've deployed or plan to deploy in your organization and filter accordingly. If you've fully adopted all Office 365 services in your organization, the entries from every service section below are required. If not, use these links to get to just the services your organization has adopted. The FQDNs and IP addresses tables are collapsed to improve navigation, you'll need to expand the sections to see the tables.

Changes for each Office 365 service are combined and published at the end of each month. Occasionally emergency changes will occur outside of the end of month publishing. Expect changes three business days prior to the last business day of the month. Some of our services do overlap with one another and you will notice the overlap or duplication in the lists of endpoints. There is also some domain name overlapping with our consumer services; while the root domain name is the same, Office 365 operates from a separate sub-domain. If you’re going to add IP addresses to your allow lists, keep in mind that IPv6 is optional and not required. We provide it here for customers who wish to use IPv6.

There's a lot of information on this page, can we present it to you in a simpler way?

Please consider voicing your thoughts at the bottom of this page, under the heading Was this information helpful? Click yes or no and enter detailed feedback. The more feedback we get from you the easier it will be for us to improve the page.

Service

IPv4 addresses

IPv6 addresses

Destination FQDNs

Endpoint resides in a Microsoft German cloud datacenter?

Destination Ports

Portal and shared

51.4.71.0/24
51.5.71.0/24
51.4.70.0/24
51.5.70.0/24
51.4.70.0/24
51.5.70.0/24
51.4.230.178/32
51.5.147.48/32

N/A

*.onmicrosoft.de

portal.office.de

*.osi.office.de

Yes

TCP 80 & 443

agent.office.de

commerceapi.office.de

clientlog.portal.office.de

videoplayer.osi.office.net

<guid>.cloudfront.net

prod.msocdn.de

No

Portal and shared DNS

N/A

N/A

*.office.de.akadns.net

*.windows.de.nsatc.net

*.de.msods.nsatc.net

No

TCP 80 & 443

Certificate services

N/A

N/A

*.d-trust.net

No

TCP 80 & 443

(Back Home)

Service

IPv4 addresses

IPv6 addresses

Destination FQDNs

Endpoint resides in a Microsoft German cloud datacenter?

Destination Ports

Office 365 authentication and identity

51.4.70.0/24
51.5.70.0/24
51.4.136.0/24
51.5.136.0/24
51.4.144.0/24
51.5.144.0/24

N/A

sts.cloudapi.de

login.cloudapi.de

accesscontrol.cloudapi.de

logincert.microsoftonline.de

graph.cloudapi.de

pas.cloudapi.de

passwordreset.activedirectory.microsoftazure.de

companymanager.microsoftonline.de

becws.microsoftonline.de

directoryProvisioning.cloudapi.de

syncservice.microsoftonline.de

adminwebservice.microsoftonline.de

provisioningapi.microsoftonline.de

adminwebservice.microsoftonline.de

provisioningapi.microsoftonline.de

login.microsoftonline.de

device.login.microsoftonline.de

msoid.<tenantdomain>

Yes

TCP 80 & 443

*.cloudapi.de

*.azurecloudapp.de

*.windows.de

microsoftonline.de

decloudapi.net

decloudapp.net

decloudapi.de

windowsazure.de

Yes

Office 365 authentication and identity CDNs

N/A

N/A

secure.aadcdn.microsoftonline-p.com

No

TCP 80 & 443

AAD Connect

N/A

N/A

*.microsoftonline.de

*.windows.net

Yes

TCP 80 & 443

(Back Home)

Service

IPv4 addresses

IPv6 addresses

Destination FQDNs

Endpoint resides in a Microsoft German cloud datacenter?

Destination Ports

Exchange Online

51.4.64.0/23
51.5.64.0/23

N/A

outlook.office.de

autodiscover*.outlook.de

Yes

TCP 25, 80, 143, 443, 587, 993, 995

Exchange Online CDN

N/A

N/A

r1.res.office365.com

No

TCP 80 & 443

(Back Home)

Service

IPv4 addresses

IPv6 addresses

Destination FQDNs

Endpoint resides in a Microsoft German cloud datacenter?

Destination Ports

Exchange Online Protection

51.4.72.0/24
51.5.72.0/24
51.4.80.0/27
51.5.80.0/27
2a01:4180:4051:0800::/64
2a01:4180:4050:0800::/64
2a01:4180:4051:0400::/64
2a01:4180:4050:0400::/64

*.protection.outlook.de

<customer domain-key>.mail.protection.outlook.de

<tenant>.mail.protection.outlook.de

Yes

TCP 25 & 443

(Back Home)

Service

IPv4 addresses

IPv6 addresses

Destination FQDNs

Endpoint resides in a Microsoft German cloud datacenter?

Destination Ports

SharePoint Online and OneDrive for Business

51.4.66.0/23
51.5.66.0/23

N/A

*.sharepoint.de

<tenant-name>.sharepoint.de

Yes

TCP 80 & 443

SharePoint Online and OneDrive for Business CDNs

N/A

N/A

shellprod.msocdn.de

Static.sharepointonline.com

No

TCP 80 & 443

OneDrive for Business: update verification and download

N/A

N/A

oneclient.sfx.ms

No

TCP 80 & 443

OneDrive for Business: Determines consumer v commercial

N/A

N/A

https://officeclient.microsoft.com/config16

http://odc.officeapps.live.com/odc/emailhrd

No

TCP 80 & 443

OneDrive for Business: Oauth login with AAD

N/A

N/A

login.microsoftonline.de

Yes

TCP 80 & 443

OneDrive for Business: Client push notification

N/A

N/A

wns.windows.com

No

TCP 80 & 443

OneDrive for Business: supportability and telemetry

N/A

N/A

mobile.pipe.aria.microsoft.com

ssw.live.com

watson.telemetry.microsoft.com

No

TCP 80 & 443

OneDrive for Business: Office integration

N/A

N/A

odc.osi.office.de

Yes

TCP 80 & 443

officeapps.live.com

No

(Back Home)

Service

IPv4 addresses

IPv6 addresses

Destination FQDNs

Endpoint resides in a Microsoft German cloud datacenter?

Destination Ports

Skype for Business Online

51.4.68.0/26
51.4.68.128/25
51.5.69.0/26
51.5.69.128/25
2a01:4180:4040:2::/64
2a01:4180:4040:1::/64
2a01:4180:4040:8::/64 
2a01:4180:4040:7::/64

*.germeetings.skype.de

*.infra.skype.de

*.online.skype.de

*.resources.skype.de

Yes

TCP 80, 443, 5061, 50000-59999 & UDP 3478, 50000-59999

(Back Home)

Service

IPv4 addresses

IPv6 addresses

Destination FQDNs

Endpoint resides in a Microsoft German cloud datacenter?

Destination Ports

Office Online

51.4.144.200/32

51.5.149.3/32

N/A

*.online.office.de

broadcast.online.office.de

excel.online.office.de

onenote.online.office.de

powerpoint.online.office.de

view.online.office.de

visio.online.office.de

word-edit.online.office.de

word-view.online.office.de

Yes

TCP 443

Office Online CDN

N/A

N/A

broadcast.cdn.office.de

excel.cdn.office.de

onenote.cdn.office.de

powerpoint.cdn.office.de

officeapps.cdn.office.de

view.cdn.office.de

visio.cdn.office.de

word-edit.cdn.office.de

word-view.cdn.office.de

No

TCP 443

(Back Home)

Service

IPv4 addresses

IPv6 addresses

Destination FQDNs

Endpoint resides in a Microsoft German cloud datacenter?

Destination Ports

Office 365 ProPlus

51.4.144.41
51.4.144.174
51.4.145.38
51.4.147.81
51.5.147.242
51.4.147.233
51.4.148.12
51.5.149.123
51.5.149.100
51.5.149.119
51.5.149.180
51.5.149.186
51.4.150.145

N/A

ols.osi.office.de

pptcs.osi.office.de

pptps.osi.office.de

wordcs.osi.office.de

wordps.osi.office.de

excelcs.osi.office.de

excelps.osi.office.de

arms.osi.office.de

plattest.osi.office.de

manage.osi.office.de

scram.office.osi.de

ols.office.osi.de

omexdiagnostics.osi.office.de

omexdatastore.osi.office.de

retailer.osi.office.de

Yes

TCP 80 & 443

(Back Home)

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×