Office 365 URLs and IP address ranges

Summary   : If your organization uses Office 365 and restricts computers on your network from connecting to the Internet, below you'll find the endpoints (FQDNs, Ports, URLs, IPv4, and IPv6 address ranges) that you should include in your outbound allow lists to ensure your computers can successfully use Office 365.

Office 365 endpoints: Worldwide | Office 365 operated by 21 Vianet

Last updated: 7/22/2016

Tips: Subscribe via RSS RSS to receive notice when endpoints are changed.

Download the XML file for a list of the endpoints organized by service.

Office 365 requires internet connectivity. Learn more about Network connectivity to Office 365 before proceeding. Filtering internet traffic requires advanced networking knowledge, a deep understanding of the applications in use in your organization, and isn't suitable for all customers. Additional resources for planning your network connectivity include Routing with ExpressRoute for Office 365, Content delivery networks, and Client connectivity.

Warning: IP addresses filtering alone isn’t a complete solution due to dependencies on internet based services such as Domain Name Services, Content Delivery Networks (CDNs), Certificate Revocation Lists, and other third party or dynamic services. These dependancies include dependancies on other Microsoft services such as the Azure Content Delivery Network and will result in network traces or firewall logs indicating connections to IP addresses owned by third parties or Microsoft but not listed on this page. These unlisted IP addresses, whether from third party or Microsoft owned CDN and DNS services are dynamically assigned and can change at any time.

  • Some clients such as the Office 365 admin portal or Outlook Web App won’t be able to authenticate without contacting CDNs.

  • CDN, CRL, and other partners don't publish IP addresses.

  • New Office 365 infrastructure won’t become instantly available to client computers.

  • Some firewall providers and security policies don't allow for wildcards.

  • Updates will be required as frequently as weekly for both planned and emergency changes.

  • Future non-web based clients may not be able to authenticate.

Tip: If IP address filtering is your only option at the firewall, an automatic proxy configuration file can be used to route the destinations marked below as CDNs through an alternate path, such as through an outbound proxy. See the Routing office 365 traffic over the internet and ExpressRoute scenario in the article Routing with ExpressRoute for Office 365 for help with more complex routing configurations.

Every Office 365 service requires the endpoints in the Office 365 portal and shared as well as the Office 365 authentication and identity to function. Beyond that you'll need to select the services you've deployed or plan to deploy in your organization and filter accordingly. If you've fully adopted all Office 365 services in your organization, the entries from every service section below are required. If not, use these links to get to just the services your organization has adopted. The FQDNs and IP addresses tables are collapsed to improve navigation, you'll need to expand the sections to see the tables. If you want to search for a specific endpoint, search the XML file for the current list of endpoints organized by service or the RSS feed to see a historical view including the dates when specific endpoints were added or removed.

Most changes are made 14-30 days ahead of the endpoint being used. We understand that emergency changes with less notice are difficult to manage and strive to make these infrequently. If possible, use FQDN filtering instead of IP filtering to reduce the impact of emergency changes. When an endpoint is added, an effective date is listed in the RSS feed. Read the RSS feed to see what date you need to configure access by per endpoint. If you're new to RSS, here is how to subscribe via Outlook or you can have the RSS feed updates emailed to you.

Some of our services do overlap with one another and you will notice the overlap or duplication in the lists of endpoints. There is also some domain name overlapping with our consumer services; while the root domain name is the same, Office 365 operates from a separate sub-domain. If you’re going to add IP addresses to your allow lists, keep in mind that IPv6 is optional and not required. We provide it here for customers who wish to use IPv6.

The endpoints listed as a Yes in the ExpressRoute for Office 365 column are available both over the internet and over ExpressRoute with Microsoft peering configured. Some services that Office 365 leverages are also available with Public peering configured and those are noted here; however, Public peering is not required to use ExpressRoute with Office 365 for the Office 365 applications supported over ExpressRoute.

There's a lot of information on this page, can we present it to you in a simpler way?

Please consider voicing your thoughts at the bottom of this page, under the heading Was this information helpful? Click yes or no and enter detailed feedback. The more feedback we get from you the easier it will be for us to improve the page.

Office 365 portal and shared

To use any Office 365 services, you must be able to connect to the endpoints marked required below. If your organization uses the Office 365 management pack, Cloud App Security, or the Security and Compliance export services, you'll find the associated endpoints below.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Office 365 Portal

Client Computer | Logged on user

*.office365.com

No

No

Portal and shared IP ranges.

TCP 443

2

Required: Office 365 Portal

Client Computer | Logged on user

home.office.com

portal.office.com

agent.office.net

www.office.com

outlook.office365.com

No

Yes

Portal and shared IP ranges & Exchange Online IP ranges.

TCP 443

portal.microsoftonline.com

No

No

Portal and shared IP ranges.

TCP 443

3

Required: CDNs used for portal and shared

Client Computer | Logged on user

prod.msocdn.com

appsforoffice.microsoft.com

Microsoft and Akamai

No

N/A

TCP 443

4

Required: Shared infrastructure

Client Computer | Logged on user

clientlog.portal.office.com

nexus.officeapps.live.com

nexusrules.officeapps.live.com

Various

No

Portal and shared IP ranges.

TCP 443

5

Required: Certificate revocation lists

Client Computer | Logged on user

See well known certificate root CRLs in the table below.

No

No

N/A

TCP 80 & 443

6

Required: Some Office 365 features require endpoints within these domains.

Client Computer | Logged on user

*.onmicrosoft.com

*.microsoft.com

*.office.com

*.msedge.net

*.office.net

*.live.com

*.msocdn.com

No

No

N/A

TCP 443

7

Optional: Shared help and support

Client Computer | Logged on user

support.office.com

products.office.com

technet.microsoft.com

Various

No

N/A

TCP 80 & 443

8

Optional: Deprecated FQDNs

Client Computer | Logged on user

*.glbdns.microsoft.com

No

No

N/A

TCP 80 & 443

9

Optional: Microsoft Azure RemoteApp

Client Computer | Logged on user

dc.services.visualstudio.com

liverdcxstorage.blob.core.windowsazure.com

telemetry.remoteapp.windowsazure.com

vortex.data.microsoft.com

www.remoteapp.windowsazure.com

No

Varies3

N/A

TCP 443

10

Optional: Office 365 Management Pack for Operations Manager

Customer Operations Manager environment | Machine1 Account

office365servicehealthcommunications.cloudapp.net

No

Varies3

N/A

TCP 443

11

Optional: Import Service for PST and file ingestion

Refer to the Azure Import/Export Service documentation for additional requirements.

12

Optional: Cloud App Security

Client Computer | Logged on user

*.portal.cloudappsecurity.com

No

No

104.42.231.28 104.209.35.177 13.91.98.185

TCP 443

13

Optional: Security and Compliance export

Client Computer | Logged on user

protection.office.com

*.blob.core.windows.net

office365zoom.cloudapp.net

equivioprod*.cloudapp.net

zoom-cs-prod*.cloudapp.net

equivio.office.com

compliance.outlook.com

No

Varies3

N/A

TCP 443

1Keep in mind that Machine accounts won’t work with proxies that require outbound authentication.

3 See additional information about supported services over Azure ExpressRoute and the Public peering path.

Note: ExpressRoute for Office 365 currently does not support IPv6. Customers not using ExpressRoute will want to ensure both IP lists below are reachable over the internet.

Office 365 portal and shared IPv4 endpoints routable through the Internet and ExpressRoute

Office 365 portal and shared IPv4 endpoints routable through the Internet only

Office 365 portal and shared IPv6 endpoints routable through the Internet only

Office 365 Certificate Revocation List (Root URLs)

13.93.164.45/32
104.42.230.91/32
13.71.145.114/32
13.78.120.70/32
13.78.120.69/32
13.78.120.99/32
13.84.222.249/32
13.92.181.66/32
13.107.6.156/31
13.107.7.190/31
13.107.9.156/31
23.96.251.50/32
23.96.253.65/32
23.97.66.55/32
23.97.78.94/32
40.83.185.155/32
40.83.185.230/32
40.84.145.72/32
40.117.100.187/32
40.117.229.133/32
40.117.229.194/32
52.178.146.67/32
52.187.78.144/32
65.52.240.200/32
65.55.239.168/32
94.245.117.53/32
104.40.178.127/32
104.42.225.143/32
104.47.156.62/32
104.214.144.62/32
104.214.144.252/32
104.214.145.173/32
111.221.104.43/32
137.116.156.3/32
138.91.61.107/32
157.55.145.0/25
157.55.155.0/25
157.55.227.192/26
168.62.104.83/32
168.63.92.133/32
191.238.160.173/32
207.46.73.250/32
207.46.141.38/32
207.46.216.54/32
213.199.128.119/32
13.76.218.117/32
13.76.219.191/32
13.76.219.210/32
13.91.98.185/32
23.96.240.104/32
23.97.61.137/32
23.97.150.21/32
23.97.152.190/32
23.97.209.97/32
23.99.109.44/32
23.99.109.64/32
23.99.116.116/32
23.99.121.207/32
23.100.86.91/32
23.101.14.229/32
23.101.30.126/32
23.102.4.253/32
23.102.155.140/32
40.76.1.176/32
40.76.8.142/32
40.76.12.4/32
40.76.12.162/32
40.83.189.49/32
40.113.8.255/32
40.113.10.78/32
40.113.11.93/32
40.113.14.159/32
40.117.144.240/32
40.117.151.29/32
40.121.144.182/32
40.122.168.103/32
65.52.26.28/32
65.52.148.27/32
65.52.160.218/32
65.52.184.75/32
65.52.196.64/32
65.52.219.207/32
70.37.97.234/32
94.245.108.85/32
104.41.207.73/32
104.42.231.28/32
104.43.140.223/32
104.45.11.195/32
104.45.214.112/32
104.46.1.211/32
104.46.38.64/32
104.46.50.125/32
104.209.35.177/32
104.209.190.8/32
104.210.4.77/32
104.210.40.87/32
104.210.212.243/32
104.214.35.244/32
104.215.146.200/32
104.215.198.144/32
111.221.111.196/32
137.116.66.126/32
137.116.81.187/32
157.55.177.39/32
157.55.184.223/32
157.55.80.94/32
168.61.146.25/32
168.61.149.17/32
168.61.170.80/32
168.61.172.71/32
168.62.204.209/32
168.62.29.225/32
168.62.43.8/32
168.63.18.79/32
168.63.29.74/32
168.63.100.61/32
168.63.138.56/32
168.63.172.54/32
168.63.213.238/32
191.236.88.160/32
191.236.155.80/32
191.237.218.239/32
191.238.177.236/32
207.46.134.255/32
207.46.153.155/32
2603:1020:200::682f:a1d8
2603:1020:201::3c4
2603:1030:603::6a
2603:1030:603::72
2603:1030:a02::118
2603:1040:200::111
 2603:1040:400::5d
2603:1040:400::5e
2603:1040:400::7b
2603:1040:601::1e7
2801:80:1d0:1c00::/64
2a01:111:2003::/48
2a01:111:200a:a::/64
2a01:111:202c::/48
2a01:111:202e::/48
2a01:111:202e::190
2a01:111:202e::191
2a01:111:202e::156
2a01:111:202d::/48
2a01:111:2035:8::/64
2a01:111:f100:1002::4134:c440
2a01:111:f100:1002::4134:d9ee 
2a01:111:f100:1004::4134:f0c8
2a01:111:f100:2002::8975:2c33
2a01:111:f100:2002::8975:2d11
2a01:111:f100:2002::8975:2d98
2a01:111:f100:3002::8987:320c
2a01:111:f100:3002::8987:3552
2a01:111:f100:4001::4625:61ea
2a01:111:f100:4001::4625:a1e3
2a01:111:f100:4001::4625:a248
2a01:111:f100:6000::4134:b84b
2a01:111:f100:7000::6fdd:682b
2a01:111:f100:7000::6fdd:6b20
2a01:111:f100:7000::6fdd:6b76
2a01:111:f100:7000::6fdd:6fc4
2a01:111:f100:8000::4134:941b
2a01:111:f100:8001::d5c7:8077
2a01:111:f102:8001::1761:4237
2a01:111:f102:8001::1761:4daf
2a01:111:f100:a000::5ef5:6c55
2a01:111:f100:a001::a83f:5c85
2a01:111:f100:a004::bfeb:8c89
2a01:111:f100:a004::bfeb:8deb
2a01:111:f406:1::/64
2a01:111:f406:1000::/64
2a01:111:f406:1004::/64
2a01:111:f406:1801::/64
2a01:111:f406:1805::/64
2a01:111:f406:3404::/64
2A01:111:F406:8000::/64
2a01:111:f406:8801::/64
2a01:111:f406:a003::/64
2a01:111:f406:c00::/64
crl.microsoft.com 
evsecure-ocsp.verisign.com
evsecure-aia.verisign.com
evsecure-crl.verisign.com
ocsp.msocsp.com
sa.symcb.com
sd.symcb.com
*.omniroot.com
*.verisign.com
*.symcb.com
*.symcd.com
*.verisign.net
*.geotrust.com
*.entrust.net
*.public-trust.com

The endpoints listed in this section are required if you're using Azure Rights Management.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

4

Required: Azure Rights Management (RMS)

Client Computer | Logged on user

*.aadrm.com

*.azurerms.com

ecn.dev.virtualearth.net

No

No

N/A

TCP 443

*.cloudapp.net1

No

Varies2

N/A

TCP 443

8

Optional: Rights Management connector

On-premises server

*.aadrm.com

No

No

N/A

TCP 443

1Azure Rights Management Office 2010 Clients Only.

2 See additional information about supported services over Azure ExpressRoute and the Public peering path.

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Office 365 Video | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office Clients | Office Online | Yammer | Sway | Planner)

Office 365 authentication and identity

To use any Office 365 services, you must be able to connect to the endpoints marked required below. If your organization uses Azure AD Connect, AD FS, or Multi-factor authentication, you'll find the associated endpoints below.

If you’re using Active Directory Federation Services (AD FS) with your deployment, you can also use AD FS client access policies with Windows Server 2012 R2 or client access policies with AD FS 2.0 to further restrict and control access to Office 365.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

2

Required: Authentication and identity

Client Computer | Logged on user

consent.microsoftonline.com

hipservice.microsoftonline.com

idsignup.microsoftonline.com

stamp2.login.microsoftonline.com

api.login.microsoftonline.com

loginex.microsoftonline.com

msm.microsoftonline.com

accountservices.microsoftonline-p.net

login.microsoftonline.com

login.windows.net

clientconfig.microsoftonline-p.net

hip.microsoftonline-p.net

No

Yes

Authentication and Identity IP ranges

TCP 443

secure.aadcdn.microsoftonline-p.com

login.microsoftonline-p.com

nexus.microsoftonline-p.com

accountservices.microsoftonline-m.com

No

No

N/A

TCP 443

3

Optional: Legacy/temporary FQDNs

Client Computer | Logged on user

*.msecnd.net

*.microsoft.com

*.microsoftonline-p.com

*.microsoftonline-p.net

*.windows.net

Akamai and Microsoft

No

N/A

TCP 443

*.microsoftonline.com

Varies

Yes

N/A

TCP 443

4

Optional: Multi-factor authentication (MFA)

Client Computer | Logged on user

account.activedirectory.windowsazure.com

secure.aadcdn.microsoftonline-p.com3

No

No

Microsoft Azure Active Directory (MFA) IP and FQDNs

TCP 443

5

Optional: DirSync (legacy)

DirSync Server | Machine1 and Service Account

*.microsoftonline.com

login.windows.net

provisioningapi.microsoftonline.com

adminwebservice.microsoftonline.com

No

Yes

Authentication and Identity IP ranges

TCP 443

mscrl.microsoft.com

No

No

N/A

TCP 80 & 443

6

Optional: Azure AD Connect (recommended)

Azure AD Connect Server | Service Account

*.microsoftonline.com

login.windows.net

provisioningapi.microsoftonline.com

adminwebservice.microsoftonline.com

No

Yes

Authentication and Identity IP ranges

TCP 443

mscrl.microsoft.com

secure.aadcdn.microsoftonline-p.com3

No

No

N/A

TCP 80 & 443

Public DNS

No

No

N/A

TCP 53

7

Optional: Azure AD Connect (w/SSO option) – WinRM & remote powershell

Client Computer | Service Account

Customer STS environment (AD FS Server and AD FS Proxy) | Ports TCP 80 & 443

No

No

Customer environment

TCP 80 & 443

8

Optional: STS such as AD FS Proxy server(s) (for federated customers only)

Client Computer | N/A

Customer STS (such as AD FS Proxy) | Ports TCP 443 or TCP 49443 w/ClientTLS

No

No

Customer environment

TCP 443 or TCP 49443 w/ClientTLS

9

Optional: AD FS Proxy server(s) (for federated customers only)

Customer AD FS Proxy (WAP) | N/A

Customer AD FS Server (FS) | Port TCP 443

No

No

Customer environment

TCP 443

10

Optional: Azure AD Connect Health

Azure AD Connect Health Server | Service Account

management.azure.com

*.blob.core.windows.net

*.queue.core.windows.net

*.servicebus.windows.net - Port: 5671 (If 5671 is blocked, agent falls back to 443, but using 5671 is recommended.)

*.adhybridhealth.azure.com

*.table.core.windows.net

policykeyservice.dc.ad.msft.net

secure.aadcdn.microsoftonline-p.com

Microsoft

Varies2

N/A

TCP 443

login.windows.net

login.microsoftonline.com

No

Yes

Authentication and Identity IP ranges

TCP 443

11

Optional: Office 365 Management Pack for Operations Manager

Customer Operations Manager environment | Machine1 Account

office365servicehealthcommunications.cloudapp.net

No

Varies2

N/A

TCP 443

1Keep in mind that Machine accounts won’t work with proxies that require outbound authentication.

2 See additional information about supported services over Azure ExpressRoute and the Public peering path.

3 This FQDN needs to be in your client's IE Trusted Sites Zone to function.

Note: ExpressRoute for Office 365 currently does not support IPv6

Office 365 authentication and identity IPv4 endpoints routable through the Internet and ExpressRoute

Office 365 authentication and identity IPv6 endpoints routable through the Internet only

13.67.50.224/29
13.75.48.16/29
13.75.80.16/29
13.106.56.0/25
23.96.208.238/32
23.97.64.252/32
23.97.66.110/32
23.97.68.113/32
23.97.70.147/32
23.97.72.158/32
23.97.72.161/32
23.97.72.165/32
23.97.98.128/32
23.97.99.4/32
23.97.100.76/32
23.97.100.92/32
23.97.100.105/32
23.97.100.152/32
23.97.103.118/32
23.97.145.9/32
23.97.148.36/32
23.97.148.228/32
23.98.66.168/32
23.98.69.116/32
23.98.70.90/32
23.99.128.120/32
23.99.129.26/32
23.99.129.173/32
23.99.193.105/32
23.99.194.77/32
23.99.196.232/32
23.99.226.167/32
23.99.227.124/32
23.100.16.168/29
23.100.32.136/29
23.100.64.24/29
23.100.72.32/29
23.100.80.64/29
23.100.88.32/29
23.100.101.112/28
23.100.104.16/28
23.100.112.64/29
23.100.120.64/29
23.101.5.104/29
23.101.19.99/32
23.101.25.224/32
23.101.144.136/29
23.101.165.168/29
23.101.178.227/32
23.101.181.128/29
23.101.187.91/32
23.101.210.24/29
23.101.222.240/28
23.101.224.16/29
23.101.226.16/28
23.102.64.138/32
23.102.64.255/32
23.102.65.203/32
23.102.65.221/32
40.112.64.16/28
40.113.192.16/29
40.114.120.16/29
40.115.48.147/32
40.115.52.169/32
40.115.54.162/32
40.115.54.55/32
40.115.55.208/32
40.115.152.16/28
40.127.67.24/29
52.172.144.16/28
65.52.1.16/29
65.52.64.61/32
65.52.64.230/32
65.52.136.224/32
65.52.144.125/32
65.52.193.136/29
65.52.228.75/32
65.52.228.99/32
65.52.228.100/32
65.52.232.52/32
65.52.233.128/32
65.52.236.160/32
65.52.240.73/32
65.52.244.66/32
65.54.54.32/27
65.54.55.201/32
65.54.74.0/23
65.54.165.0/25
65.54.170.128/25
65.55.86.0/23
65.55.233.0/27
70.37.56.152/32
70.37.128.0/23
70.37.142.0/23
70.37.159.0/24
70.37.160.72/32
70.37.160.202/32
94.245.68.0/22
94.245.82.0/23
94.245.84.0/24
94.245.86.0/24
94.245.88.223/32
94.245.88.194/32
104.40.240.48/28
104.41.1.233/32
104.41.13.120/29
104.41.216.16/28
104.42.72.16/29
104.43.208.16/29
104.43.240.16/29
104.44.218.128/25
104.44.254.128/25
104.44.255.0/25
104.45.0.16/28
104.45.208.104/29
104.46.112.8/29
104.46.224.64/28
104.47.143.47/32
104.47.146.37/32
104.209.144.16/29
104.210.48.8/29
104.210.83.160/29
104.210.208.16/29
104.211.16.16/29
104.211.48.16/29
104.211.88.16/28
104.211.98.2/32
104.211.98.6/32
104.211.98.138/32
104.211.98.146/32
104.211.98.194/32
104.211.98.246/32
104.211.99.88/32
104.211.99.127/32
104.211.99.181/32
104.211.99.236/32
104.211.100.160/32
104.211.100.170/32
104.211.100.196/32
104.211.100.204/32
104.211.102.225/32
104.211.152.32/27
104.211.160.36/32
104.211.161.31/32
104.211.161.69/32
104.211.161.150/32
104.211.161.165/32
104.211.161.170/31
104.211.161.185/32
104.211.162.33/32
104.211.162.51/32
104.211.162.180/32
104.211.165.35/32
104.211.166.139/32
104.211.164.26/32
104.211.165.64/32
104.211.216.32/27
104.211.224.71/32
104.211.224.118/32
104.211.225.135/32
104.211.225.215/32
104.211.226.231/32
104.211.226.240/32
104.211.227.110/32
104.211.227.238/32
104.211.229.0/32
104.211.230.178/32
104.211.230.245/32
104.211.231.147/32
104.211.231.248/32
104.215.96.24/29
104.215.144.64/29
104.215.184.16/29
111.221.24.0/21
111.221.70.0/25
111.221.71.0/25
111.221.127.112/28
131.253.120.128/32
134.170.67.0/25
134.170.172.128/25
137.135.47.6/32
137.135.47.4/32
137.135.47.28/32
137.116.32.61/32
137.116.32.101/32
137.116.48.66/32
137.116.48.69/32
137.116.49.27/32
137.116.64.162/32
137.116.80.106/32
137.116.200.108/32
137.116.242.169/32
137.117.99.175/32
137.117.103.21/32
138.91.1.59/32
138.91.2.208/32
138.91.2.210/32
138.91.2.212/32
138.91.17.43/32
138.91.17.108/32
138.91.18.52/32
138.91.56.78/32
138.91.56.97/32
138.91.58.210/32
138.91.59.239/32
138.91.59.78/32
138.91.60.177/32
138.91.61.153/32
138.91.61.35/32
157.55.45.128/25
157.55.59.128/25
157.55.80.175/32
157.55.80.182/32
157.55.84.19/32
157.55.84.237/32
157.55.130.0/25
157.55.161.59/32
157.55.161.75/32
157.55.168.18/32
157.55.176.63/32
157.55.185.100/32
157.55.208.58/32
157.55.208.198/32
157.55.208.218/32
157.55.252.101/32
157.56.48.128/25
157.56.53.128/25
157.56.55.0/25
157.56.58.0/25
157.56.58.192/26
157.56.151.0/25
157.56.8.78/32
157.56.12.18/32
157.56.28.192/32
168.61.32.214/32
168.61.35.252/32
168.61.36.121/32
168.61.37.63/32
168.61.38.105/32
168.61.82.81/32
168.61.85.180/32
168.62.4.28/32
168.62.11.24/32
168.62.11.117/32
168.62.16.112/32
168.62.16.140/32
168.62.16.149/32
168.62.16.252/32
168.62.24.38/32
168.62.24.104/32
168.62.24.114/32
168.62.24.150/32
168.62.41.25/32
168.62.42.89/32
168.62.52.198/32
168.62.52.203/32
168.62.56.108/32
168.62.60.71/32
168.62.60.80/32
168.62.104.146/32
168.62.105.126/32
168.62.105.217/32
168.62.176.34/32
168.62.179.4/32
168.63.25.227/32
168.63.27.2/32
168.63.166.200/32
168.63.165.67/32
168.63.164.177/32
168.63.208.73/32
168.63.250.173/32
168.63.252.39/32
191.232.2.128/25
191.233.37.141/32
191.235.135.139/32
191.235.135.222/32
191.236.192.179/32
191.237.248.32/29
191.237.252.192/28
191.238.80.160/32
191.238.80.241/32
191.238.81.69/32
191.238.83.220/32
191.239.64.124/31
191.239.64.129/32
191.239.64.130/31
191.239.64.132/31
191.239.64.134/32
191.239.160.4/32
191.239.160.93/32
191.239.160.140/30
191.239.160.144/31
207.46.70.0/24
207.46.206.0/23
213.199.128.58/32
213.199.128.91/32
213.199.132.97/32
213.199.148.0/23
2a01:111:f400::/48
2603:1020:201:2::/64
2603:1020:201:3::/64
2a01:111:2005:6::/64

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Office 365 Video | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office Clients | Office Online | Yammer | Sway | Planner)

Exchange Online

To use Exchange Online, you must be able to connect to the endpoints marked required below. If your organization uses Exchange Hybrid, Delve, or is migrating email to Office 365, you'll find the associated endpoints below.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

2

Required: Authentication and identity

See Office 365 authentication and identity

3

Required: Exchange Online Protection

See Exchange Online Protection (EOP)

4

Required: Client SMTP Relay

Client Computer | Logged on user

smtp.office365.com

No

Yes

Exchange Online IP ranges.

TCP 587

5

Required: Exchange Online

Client Computer | Logged on user

outlook.office365.com

*.outlook.office.com

No

Yes

Exchange Online IP ranges.

TCP 80 & 443

6

Required: Exchange Online

Client Computer | Logged on user

*.outlook.com

No

No

Exchange Online IP ranges.

TCP 80 & 443

7

Required: Exchange Online

Client Computer | Logged on user

xsi.outlook.com

r1.res.office365.com

r3.res.office365.com

r4.res.office365.com

Akamai

No

N/A

TCP 80 & 443

8

Optional: Exchange Hybrid Only

Existing Exchange Client Access Servers and Mailbox Servers | Machine account1

outlook.office365.com

*.outlook.office.com

No

Yes

Exchange Online IP ranges.

TCP 80 & 443

9

Optional: Exchange Hybrid Co-existence

Exchange Online IP ranges | N/A

Customer on-premise Exchange

No

Yes

Customer IP

TCP 80 & 443

10

Optional: Exchange Hybrid Proxy Authentication

Exchange Online IP ranges | N/A

Customer on-premise STS

No

Yes

Customer IP

TCP 80 & 443

11

Optional: Used to configure Exchange Hybrid, using the Exchange Hybrid Configuration Wizard.

Note: These endpoints are only required to configure Exchange hybrid. Rows 8-10 describe the ongoing traffic.

Existing Exchange service | N/A

hybridconfiguration.azurewebsites.net

*.hybridconfiguration.azurewebsites.net

mshrcstorageprod.blob.core.windows.net

No

Varies3

65.55.39.128/25

65.55.181.128/25

207.46.150.128/25

207.46.164.0/24

207.46.203.128/26

TCP 80 & 443

domains.live.com2

No

Yes

65.55.79.128/25

TCP 80 & 443

12

Optional: Exchange Online IMAP4 migration

IMAP4 Service | N/A

outlook.office365.com

*.outlook.office.com

No

Yes

Exchange Online IP ranges.

TCP 143/993

13

Optional: Exchange Online POP3 migration

POP3 Service | N/A

outlook.office365.com

*.outlook.office.com

No

Yes

Exchange Online IP ranges.

TCP 995

14

Optional: All other Exchange Online migration tools

Existing Exchange service (EWS or MRS) | N/A

outlook.office365.com

*.outlook.office.com

No

Yes

Exchange Online IP ranges.

TCP 80 & 443

15

Optional: Required for Delve

Client Computer | Logged on user

delve.office.com

No

No

Exchange Online IP ranges.

TCP 80 & 443

16

Optional: Required for Delve

Client Computer | Logged on user

r3.res.outlook.com

Akamai

No

N/A

TCP 80 & 443

1Keep in mind that Machine accounts won’t work with proxies that require outbound authentication.

2 Only required for Exchange 2010 SP3 Hybrid Configuration Wizard.

3 See additional information about supported services over Azure ExpressRoute and the Public peering path.

Note: ExpressRoute for Office 365 currently does not support IPv6

Exchange Online IPv4 endpoints routable through the Internet and ExpressRoute

Exchange Online IPv6 endpoints routable through the Internet only

13.107.6.152/31
13.107.9.152/31
13.107.18.10/31
13.107.19.10/31
23.103.160.0/20
23.103.224.0/19
40.96.0.0/13
40.104.0.0/15
70.37.151.128/25
111.221.112.0/21
131.253.33.215
132.245.1.128/25
132.245.2.0/23
132.245.4.0/22
132.245.8.0/21
132.245.16.0/20
132.245.32.0/19
132.245.64.0/19
132.245.96.0/20
132.245.113.128/25
132.245.114.0/23
132.245.116.0/22
132.245.120.0/21
132.245.129.128/25
132.245.130.0/23
132.245.132.0/22
132.245.136.0/21
132.245.144.0/20
132.245.160.0/19
132.245.193.128/25
132.245.194.0/23
132.245.196.0/22
132.245.200.0/21
132.245.209.128/25
132.245.210.0/23
132.245.212.0/22
132.245.216.0/21
132.245.224.0/19
134.170.68.0/23
157.56.96.16/28
157.56.96.224/28
157.56.106.128/28
157.56.232.0/21
157.56.240.0/20
191.232.96.0/19
191.234.6.152
191.234.140.0/22
191.234.224.0/22
204.79.197.215
206.191.224.0/19
207.46.150.128/25
207.46.203.128/26
2a01:111:f400::/48
2620:1ec:a92::152
2620:1ec:4::152
2620:1ec:a92::153
2620:1ec:4::153
2620:1ec:c::10
2620:1ec:c::11
2620:1ec:d::10
2620:1ec:d::11

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Office 365 Video | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office Clients | Office Online | Yammer | Sway | Planner)

Exchange Online Protection (EOP)

To use Exchange Online Protection, you must be able to connect to the endpoints marked required below.

Row

Purpose

Source | Credentials

Source Port

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: EOP

Client Computer | Logged on user

TCP 80 & 443

*.protection.outlook.com

No

Yes

See Exchange Online Protection IP Addresses

TCP 443

3

Required: Send email

Existing email environment | N/A

TCP 25

<customer domain-key>.mail.protection.outlook.com

No

Yes

See Exchange Online Protection IP Addresses

TCP 25

4

Required: Receive email

See Exchange Online Protection IP Addresses | N/A

TCP 25

Existing email environment

No

Yes

See Exchange Online Protection IP Addresses

TCP 25

Note: The wildcard in the second row of the EOP table represents a long list of nodes that are exclusively used for Exchange Online Protection. No other commercial or consumer services use this namespace.

Skype for Business Online

To use Skype for Business Online, you must be able to connect to the endpoints described below. To enable authentication, the endpoints listed in the Office 365 authentication and identity section must be reachable. Similarly, for shared infrastructure and portal services, the endpoints in the portal and shared section are must be reachable. These are rows One and Two respectively. Once the required endpoints in these tables are reachable, ensure the endpoints in the Skype for Business Online table below are reachable. To see the IP addresses, expand the IP address section below the table describing the traffic flow.

Row

Purpose

Source | Credentials

Source Port

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Portal and shared

See Office 365 portal and shared

3

Required: SIP signaling

Client Computer | Logged on user

Ephemeral ports

*.lync.com

No

Yes

Skype for Business IP ranges.

TCP 443

4

Required: Persistent Shared Object Model (PSOM) connections web conferencing

Client Computer | Logged on user

Ephemeral ports

*.lync.com

No

Yes

Skype for Business IP ranges.

TCP 443

5

Required: HTTPS downloads

Client Computer | Logged on user

Ephemeral ports

*.lync.com

No

Yes

Skype for Business IP ranges.

TCP 443

6

Required: Audio

Client Computer | Logged on user

TCP/UDP 50,000-50019

*.lync.com

No

Yes

Skype for Business IP ranges.

TCP 443, UDP 3478, 3479, 3480, & 3481, TCP/UDP 50,000-59,999

7

Required: Video

Client Computer | Logged on user

TCP/UDP 50,020-50039

*.lync.com

No

Yes

Skype for Business IP ranges.

TCP 443, UDP 3478, 3479, 3480, & 3481, TCP/UDP 50,000-59,999

8

Required: Desktop sharing

Client Computer | Logged on user

TCP/UDP 50,040-50059

*.lync.com

No

Yes

Skype for Business IP ranges.

TCP 443, UDP 3478, 3479, 3480, & 3481, TCP/UDP 50,000-59,999

9

Required: Lync Mobile push notifications for Lync Mobile 2010 on iOS devices. You don't need this for Android, Nokia Symbian or Windows Phone mobile devices.

Client Computer | Logged on user

Ephemeral ports

*.lync.com

No

Yes

Skype for Business IP ranges.

TCP 5223

10

Required: Skype Telemetry

Client Computer | Logged on user

Ephemeral ports

skypemaprdsitus.trafficmanager.net

pipe.skype.com

No

No

N/A.

TCP 443

11

Required: Skype client quicktips

Client Computer | Logged on user

Ephemeral ports

quicktips.skypeforbusiness.com

No

No

N/A.

TCP 443

12

Required: Skype for Business chat in OWA

Client Computer | Logged on user

Ephemeral ports

swx.cdn.skype.com

No

No

N/A.

TCP 443

13

Required: Skype for Business client configurations

Client Computer | Logged on user

Ephemeral ports

a.config.skype.com

b.config.skype.com

config.edge.skype.com

No

Yes

13.107.3.128

13.107.3.129

23.99.213.58

23.101.115.193

23.101.116.26

23.101.156.198

23.101.158.111

23.102.17.214

23.102.24.114

40.68.229.156

40.68.230.133

40.78.145.194

104.40.75.8

104.40.76.196

191.233.80.151

191.233.95.169

191.234.19.21

191.234.20.241

191.234.21.145

191.234.23.27

TCP 443

14

Optional: Federation with Skype and public IM connectivity: Contact picture retrieval

Client Computer | Logged on user

Ephemeral ports

*.api.skype.com

*.users.storage.live.com

No

No

N/A.

TCP 443

15

Optional: Federation with Skype and public IM connectivity: Skype Search

Client Computer | Logged on user

Ephemeral ports

graph.skype.com

No

No

N/A.

TCP 443

To use Skype Meeting Broadcast, the following endpoints need to be accessible to client computers.

Row

Purpose

Source |Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: For all Skype functionality, the entries are labeled "required".

See Skype for Business Online.

2

Required: Skype Meeting Broadcast presenter

Client computer / logged on user

aka.ms

None

No

N/A

TCP 80 & 443

*.microsoftonline.com

None

Yes

Authentication and Identity IP ranges

TCP 443

3

Required: Skype Meeting Broadcast presenter and attendee

Client computer / logged on user

broadcast.skype.com

*.broadcast.skype.com1

*.infra.lync.com1

browser.pipe.aria.microsoft.com

mlccdn.blob.core.windows.net

None

No

N/A

TCP 443

ajax.aspnetcdn.com

*.msecnd.net2

Verizon

No

N/A

TCP 443

4

Required: Skype Meeting Broadcast attendee

Client computer / logged on user

amp.azure.net

pipe.skype.com

None

No

N/A

TCP 443

*.streaming.mediaservices.windows.net3

*.keydelivery.mediaservices.windows.net3

Azure Media Services

Yes (Azure Public peering)

N/A

TCP 443

1 The wildcard for lync.com and broadcast.skype.com represents a long list of nodes that are exclusively used for Office 365.

2 The wildcard for msecnd.net represents a dynamically generated endpoint within the CDN that join page libraries are pulled from.

3 The wildcard for streaming.mediaservices.windows.net represents a list of media services endpoints where video content is pulled from.

Note: The wildcard for lync.com and broadcast.skype.com represents a long list of nodes that are exclusively used for Office 365.

Note: ExpressRoute for Office 365 currently does not support IPv6

Skype for Business Online IPv4 endpoints routable through the Internet and ExpressRoute

Skype for Business Online IPv6 endpoints routable through the Internet only

13.107.3.128/32
13.107.3.129/32
13.107.8.0/24
23.99.213.58/32
23.101.115.193/32
23.101.116.26/32
23.101.156.198/32
23.101.158.111/32
23.102.17.214/32
23.102.24.114/32
23.103.128.0/23
23.103.130.0/24
23.103.176.128/26
23.103.176.192/27
23.103.178.128/26
23.103.178.192/27
40.68.229.156/32
40.68.230.133/32
40.78.145.194/32
52.112.0.0/15
65.55.127.0/24
66.119.157.192/26
66.119.158.0/25
104.40.75.8/32
104.40.76.196/32
104.44.195.0/24
104.44.200.0/23
111.221.76.128/25
111.221.77.0/26
111.221.122.192/26
131.253.128.0/19
131.253.160.0/20
132.245.0.0/24
132.245.1.0/25
132.245.112.0/24
132.245.113.0/25
132.245.128.0/24
132.245.129.0/25
132.245.192.0/24
132.245.193.0/25
132.245.208.0/24
132.245.209.0/25
134.170.0.0/25
134.170.54.0/26
134.170.54.128/25
134.170.113.192/26
134.170.115.128/25
157.55.40.128/25
157.55.46.64/26
157.55.232.128/26
157.55.238.0/25
157.56.135.64/26
157.56.185.0/26
191.233.80.151/32
191.233.95.169/32
191.234.19.21/32
191.234.20.241/32
191.234.21.145/32
191.234.23.27/32
207.46.5.0/24
2603:1027::/48
2603:1037::/48
2603:1047::/48
2603:1057::/48
2a01:111:2047:2::/64
2a01:111:2047:1::/64
2a01:111:2048:2::/64
2a01:111:2048:1::/64
2a01:111:f406:3406::/64
2a01:111:f406:3405::/64
2a01:111:200f:11::/64
2a01:111:200f:10::/64
2a01:111:2007:3::/64
2a01:111:2007:4::/64
2a01:111:200f:6::/64
2a01:111:200f:7::/64 
2a01:111:200f:8::/64
2a01:111:200f:9::/64
2a01:111:2012:2::/64 
2a01:111:2012:3::/64
2a01:111:2012:4::/64
2a01:111:2012:5::/64
2a01:111:2012:6::/64
2a01:111:2012:7::/64
2a01:111:202a:2::/64
2a01:111:202a:3::/64
2a01:111:202b:3::/64
2a01:111:202b:4::/64
2a01:111:202b:9::/64
2a01:111:202b:a::/64
2a01:111:2034:2::/64
2a01:111:2034:3::/64
2a01:111:2035:6::/64
2a01:111:2035:7::/64
2a01:111:2036:2::/64
2a01:111:2036:3::/64
2a01:111:203e:1::/64
2a01:111:203e:2::/64
2a01:111:2040:1::/64
2a01:111:2040:2::/64
2a01:111:2046:4::/64
2a01:111:2046:5::/64
2a01:111:2a:7::/6
2a01:111:2a:8::/64
2a01:111:f402:5802::/64
2a01:111:f402:5803::/64
2a01:111:f402:5805::/64
2a01:111:f404:0c06::/64
2a01:111:f404:0c07::/64
2a01:111:f404:0c09::/64
2a01:111:f404:0c0a::/64
2a01:111:f404:3400::/64
2a01:111:f404:3401::/64
2a01:111:f404:8002::/64
2a01:111:f404:8003::/64
2a01:111:f404:9400::/64
2a01:111:f404:9401::/64
2a01:111:f404:a000::/64
2a01:111:f404:a001::/64
2a01:111:f404:a800::/64
2a01:111:f404:a801::/64
2a01:111:f404:c0b::/64
2a01:111:f404:c0c::/64
2a01:111:f406:2400::/64
2a01:111:f406:2401::/64
2a01:111:f406:402::/64
2a01:111:f406:403::/64

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Office 365 Video | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office Clients | Office Online | Yammer | Sway | Planner)

SharePoint Online and OneDrive for Business

To use SharePoint Online or OneDrive for Business, you must be able to connect to the endpoints marked required below. If your organization uses Exchange Hybrid, Delve, or is migrating email to Office 365, you'll find the associated endpoints below.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

3

Required: Office Online

See Office Online

4

Required: SharePoint Online and associated applications

Client Computer | Logged on user

*.sharepoint.com

<tenant>.sharepoint.com1

<tenant>-my.sharepoint.com1

<tenant>-files.sharepoint.com1

<tenant>-myfiles.sharepoint.com1

No

Yes

SharePoint Online IP Ranges.

TCP 80 & 443

5

Required: CDNs for SharePoint Online and associated applications

Client Computer | Logged on user

*.sharepointonline.com

cdn.sharepointonline.com

Static.sharepointonline.com

prod.msocdn.com

spoprod-a.akamaihd.net

Microsoft & Akamai

No

6

Required: SharePoint Online inbound mail

SharePoint Online IP Ranges | N/A

Customer environment

No

Yes

Customer environment

TCP 25

7

Required: OneDrive for Business update verification and download

Client Computer | Logged on user

oneclient.sfx.ms

Akamai

No

N/A

TCP 80 & 443

8

Required: OneDrive for Business: Determines consumer v commercial

Client Computer | Logged on user

https://officeclient.microsoft.com/config16

http://odc.officeapps.live.com/odc/emailhrd

No

No

N/A

TCP 80 & 443

9

Required: OneDrive for Business: Oauth login with AAD

Client Computer | Logged on user

login.microsoftonline.com

No

Yes

N/A

TCP 443

10

Required: Client push notification

Client Computer | Logged on user

wns.windows.com

No

No

N/A

TCP 443

11

Optional: OneDrive for Business: supportability and telemetry

Client Computer | Logged on user

ssw.live.com

mobile.pipe.aria.microsoft.com

watson.telemetry.microsoft.com

No

No

N/A

TCP 443

12

Optional: OneDrive for Business: Office integration

Client Computer | Logged on user

nexus.officeapps.live.com

No

No

N/A

TCP 443

13

Optional: APIs to allow users to get help and retrieve logs to diagnose.

Client Computer | Logged on user

storage.live.com/clientLogs

storage.live.com/sendFeedback

No

No

N/A

TCP 443

14

Optional: embedded email links

Client Computer | Logged on user

click.email.microsoftonline.com

No

No

N/A

TCP 443

1 This FQDN needs to be in your client's IE Trusted Sites Zone for Explorer View to function.

Note: ExpressRoute for Office 365 currently does not support IPv6. Customers not using ExpressRoute will want to ensure both IP lists below are reachable over the internet.

SharePoint Online IPv4 endpoints routable through the Internet and ExpressRoute

SharePoint Online IPv6 endpoints routable through the Internet only

13.107.6.150/31
13.107.9.150/31
40.108.0.0/19
40.108.128.0/17
104.146.0.0/19
104.146.128.0/17
134.170.200.0/21
134.170.208.0/21
191.232.0.0/23
191.234.128.0/21
191.235.0.0/20
2620:1ec:a92::150
2620:1ec:4::150
2620:1ec:6::129 
2a01:111:f402::/48
2801:80:1d0:1400::/54

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Office 365 Video | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office Clients | Office Online | Yammer | Sway | Planner)

Office 365 Video

To use Office 365 Video, you must be able to connect to the endpoints marked required below.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

3

Required: SharePoint Online endpoints listed above as required

See SharePoint Online

4

Required: Office 365 Video

Client Computer | Logged on user

*.keydelivery.mediaservices.windows.net

*.streaming.mediaservices.windows.net

Azure Media Services

Uses Azure Media Services 1

N/A

TCP 443

5

Required: Office 365 Video

Client Computer | Logged on user

ajax.aspnetcdn.com

Yes

No

N/A

TCP 443

6

Required: Office 365 Video

Client Computer | Logged on user

r3.res.outlook.com

Akamai

No

N/A

TCP 443

7

Required: Office 365 Video

Client Computer | Logged on user

spoprod-a.akamaihd.net

Akamai

No

N/A

TCP 443

1 See additional information about supported services over Azure ExpressRoute and the Public peering path.

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Office 365 Video | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office Clients | Office Online | Yammer | Sway | Planner)

OneNote

To use OneNote, you must be able to connect to the endpoints marked required below.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

3

Required: SharePoint Online endpoints listed above as required

See SharePoint Online

4

Required: OneNote notebooks

OneNote | Logged on user

www.onenote.com

No

No

OneNote Online IP Addresses.

TCP 443

5

Required: OneNote notebooks (wildcards)

OneNote | Logged on user

*.onenote.com

No

No

OneNote Online IP Addresses.

TCP 443

*.msecnd.net

*.microsoft.com

*.office.net

No

No

N/A

TCP 443

6

Required: OneNote notebooks

OneNote | Logged on user

cdn.onenote.net

Akamai

No

N/A

TCP 443

7

Required: OneNote supporting services

OneNote | Logged on user

cdn.optimizely.com

Ajax.aspnetcdn.com

apis.live.net

www.onedrive.com

Yes (Varies)

No

N/A

TCP 443

8

Optional: OneNote supporting services

OneNote | Logged on user

www.youtube.com

ad.atdmt.com

*.facebook.*

s.ytimg.com

Yes (Varies)

No

N/A

TCP 443

OneNote IPv4 endpoints routable through the Internet only

13.73.106.160/32
13.75.158.234/32
13.78.58.132/32
13.79.161.29/32
13.82.54.72/32
13.93.219.105/32
40.74.129.10/32
40.118.97.54/32
52.172.158.178/32
104.41.35.170/32
104.211.163.139/32

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Office 365 Video | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office Clients | Office Online | Yammer | Sway | Planner)

Office Online

To use Office Online, you must be able to connect to the endpoints marked required below.

Row

Purpose

Source |Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

3

Required: Office Online

Client Computer | Logged on user

*.officeapps.live.com

No

Yes

Office Online IP Ranges.

TCP 443

4

Required: Content Delivery Network for Office Web Apps

Client Computer | Logged on user

*.cdn.office.net

Akamai

No

N/A

TCP 443

Note: The wildcard for officeapps.live.com represents a long list of nodes such as excel.officeapps.live.com that are used for Office Online.

Note: ExpressRoute for Office 365 currently does not support IPv6

Office Web Apps IPv4 endpoints routable through the Internet and ExpressRoute

Office Web Apps IPv6 endpoints routable through the Internet only

13.69.187.20/32
13.70.184.242/32
13.71.155.176/32
13.75.153.216/32
13.76.140.48/32
13.78.114.39/32
13.85.84.102/32
13.88.248.161/32
13.88.254.212/32
13.94.209.165/32
23.103.183.15/32
40.68.166.51/32
40.74.130.243/32
40.74.138.42/32
40.76.54.124/32
40.86.230.88/32
40.114.192.209/32
40.117.226.146/32
40.126.236.216/32
40.127.79.139/32
52.169.109.48/32
52.172.13.171/32
52.172.153.104/32
52.175.25.142/32
52.232.128.169/32
104.40.225.204/32
104.41.62.54/32
104.211.103.207/32
104.211.229.230/32
104.214.38.136/32
104.215.194.17/32
134.170.27.86/32
134.170.48.20/32
134.170.48.22/32
134.170.65.86/32
134.170.170.86/32
137.116.172.39/32
137.135.65.72/32
191.235.87.181/32
191.237.40.220/32
2a01:111:f406:8800::/64
2a01:111:f406:400::/64
2a01:111:f406:1c01::/64
2a01:111:f406:9400::/64
2a01:111:f406:2402::/64
2a01:111:f406:a804::/64 
2a01:111:f406:b401::/64
2620:1ec:c11::204
2a01:111:202c::204
2620:1ec:c11::205
2a01:111:202c::205

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Office 365 Video | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office Clients | Office Online | Yammer | Sway | Planner)

Yammer

To use Yammer, you must be able to connect to the endpoints marked required below.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

3

Required: Yammer

Client Computer | Logged on user

*.yammer.com1

*.yammerusercontent.com1

No

No

Yammer IP Ranges.

TCP 443

4

Required: Yammer

Client Computer | Logged on user

*.assets-yammer.com1

Varies

No

N/A

TCP 443

5

Optional: Document, video, & image storage/rendering

Client Computer | Logged on user

ajax.googleapis.com

*.cloudfront.net

No

No

N/A

TCP 443

1 This FQDN needs to be in your client's IE Trusted Sites Zone to function.

Note: The wildcard for yammer.com represents a long list of nodes that are exclusively used for Office 365.

Yammer IPv4 endpoints routable through the Internet only

13.107.6.158/31
13.107.9.158/31
134.170.148.0/22

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Office 365 Video | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office Clients | Office Online | Yammer | Sway | Planner)

Sway

To use Sway, you must be able to connect to the endpoints marked required below.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

3

Required: Sway

Client Computer | Logged on user

sway.com

www.sway.com

eus-www.sway.com

eus-000.www.sway.com

eus-001.www.sway.com

eus-002.www.sway.com

eus-003.www.sway.com

eus-004.www.sway.com

eus-005.www.sway.com

eus-006.www.sway.com

eus-007.www.sway.com

eus-008.www.sway.com

eus-009.www.sway.com

eus-00a.www.sway.com

eus-00b.www.sway.com

eus-00c.www.sway.com

eus-00d.www.sway.com

eus-00e.www.sway.com

wus-www.sway.com

wus-000.www.sway.com

wus-001.www.sway.com

wus-002.www.sway.com

wus-003.www.sway.com

wus-004.www.sway.com

wus-005.www.sway.com

wus-006.www.sway.com

wus-007.www.sway.com

wus-008.www.sway.com

wus-009.www.sway.com

wus-00a.www.sway.com

wus-00b.www.sway.com

wus-00c.www.sway.com

wus-00d.www.sway.com

wus-00e.www.sway.com

No

No

Sway IP Ranges.

TCP 443

4

Required: Sway

Client Computer | Logged on user

eus-www.sway-cdn.com

wus-www.sway-cdn.com

eus-www.sway-extensions.com

wus-www.sway-extensions.com

Akamai

No

N/A

TCP 443

5

Optional: Sway website analytics

Client Computer | Logged on user

c.microsoft.com c1.microsoft.com

prod.msocdn.com

www.google-analytics.com

No

No

N/A

TCP 443

6

Optional: Sway third party content

Client Computer | Logged on user

Access to third party content such as Bing, Flickr, and so on.

No

No

N/A

TCP 443

Sway IPv4 endpoints routable through the Internet only

40.76.22.51
40.76.30.255
40.76.213.143
40.76.216.125
40.76.221.181
40.76.222.175
40.83.185.108
40.114.8.214
40.114.14.121
40.114.15.142
40.114.45.182
40.114.40.12
40.114.51.204
40.114.51.239
40.118.210.94
40.112.188.120
40.118.131.134
40.118.135.86
40.118.131.27
40.118.209.10
104.41.155.129
104.210.43.160
137.135.51.71
137.135.52.204
138.91.155.70
138.91.159.117
138.91.160.172
138.91.245.66

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Office 365 Video | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office Clients | Office Online | Yammer | Sway | Planner)

Planner

To use Planner, you must be able to connect to the endpoints marked required below.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

3

Required: Planner

Browser/ authenticated user

tasks.office.com

controls.office.com

cus-000.tasks.osi.office.net

ea-000.tasks.osi.office.net

eus-zzz.tasks.osi.office.net

neu-000.tasks.osi.office.net

sea-000.tasks.osi.office.net

weu-000.tasks.osi.office.net

wus-000.tasks.osi.office.net

No

No

Planner IP Ranges.

TCP 443

4

Required: Planner

Browser/ authenticated user

outlook.office365.com

www.outlook.com

No

Yes

Exchange Online IP ranges & Portal and shared IP ranges.

TCP 443

5

Required: Planner

Browser/ authenticated user

clientlog.portal.office.com

No

No

Portal and shared IP ranges.

TCP 443

6

Required: Planner CDNs

Browser/ authenticated user

ajax.aspnetcdn.com

prod.msocdn.com

Akamai

No

N/A

TCP 443

Planner IPv4 endpoints routable through the Internet only

13.107.6.160/32
13.107.9.160/32
23.97.56.236/32
23.97.78.215/32
40.76.80.180/32
40.112.223.206/32
40.127.139.229/32
104.40.214.0/32
104.43.235.252/32

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Office 365 Video | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office Clients | Office Online | Yammer | Sway | Planner)

Office clients

To use this application, you must be able to connect to the endpoints described below. To see the IP addresses, expand the IP address section below the table describing the traffic flow.

If you’re interested in bypassing the CDN for your deployment, you can build an internal installation point.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: This url is needed to renew the product key approximately every 30 days

Office client only | Local system

activation.sls.microsoft.com

No

No

N/A

TCP 443

3

Required: This URL is required to validate certificates during activation

Office client only | Local system

crl.microsoft.com

No

No

N/A

TCP 80 & 443

4

Required: Required for identity and configuration services

Office client only | Local system

odc.officeapps.live.com

Microsoft & Akamai

No

Office 365 ProPlus IP Ranges and CDN IP addresses not provided.

TCP 443

5

Required: This URL is the Office Licensing Service, which is used during activation and subscription maintenance

Office client only | Local system

ols.officeapps.live.com

Microsoft & Akamai

No

Office 365 ProPlus IP Ranges and CDN IP addresses not provided.

TCP 443

6

Required: Runtime client configuration.

Office client only | Local system

office15client.microsoft.com

officeclient.microsoft.com

Microsoft & Akamai

No

Office 365 ProPlus IP Ranges and CDN IP addresses not provided.

TCP 443

7

Required: These FQDNs are required to support in-app redirection.

Office client only | Local system

ocsredir.officeapps.live.com

r.office.microsoft.com

officeredir.microsoft.com

o15.officeredir.microsoft.com

officepreviewredir.microsoft.com

No

No

N/A

TCP 80 & 443

8

Required: This FQDN is required to support the recent documents function.

Office client only | Local system

ocws.officeapps.live.com

No

No

N/A

TCP 443

9

Required: Contains Office 365 ProPlus source media used for installation and/or updates. If automatic updates are configured in the default settings, the local system account is used when downloading updates.

Office client only | Logged on user

officecdn.microsoft.com

officecdn.microsoft.com.edgesuite.net

officecdn.microsoft.com.edgekey.net

Microsoft & Akamai

No

N/A

TCP 80 & 443

10

Required: In-app help.

Office client only | Anonymous

ocsa.officeapps.live.com

Microsoft & Akamai

No

N/A

TCP 80 & 443

11

Required: Bing image search.

Office client only | Anonymous

insertmedia.bing.office.net

No

No

N/A

TCP 80 & 443

12

Required: This URL is used to redirect to web content such as online help and error code information.

Office client only | Logged on user

go.microsoft.com

Microsoft & Akamai

No

N/A

TCP 80

Office 365 ProPlus IPv4 endpoints routable through the Internet only

13.107.12.51/32
23.99.56.164/32
23.96.219.115/32
40.76.62.115/32
40.86.88.12/32
40.84.192.103/32
40.113.17.180/32
104.40.208.40/32
104.40.234.17/32
104.210.220.25/32
168.63.234.40/32
191.236.108.93/32
191.236.157.212/32

This is the current list of the FQDNs required for the Outlook App on Android and iOS.

Row

Purpose

Destination

Destination Port

1

Required: Outlook for Android and iOS

*.acompli.net

TCP 443

2

Required: Authentication

outlook.office365.com

sdfpilot.outlook.com

graph.windows.net

api.office.com

secure.aadcdn.microsoftonline-p.com

login.windows.net

login.windows-ppe.net

com.microsoft.office.outlook.dev

go.microsoft.com

mam.manage.microsoft.com

vortex.data.microsoft.com

TCP 443

3

Required: Outlook rest

login.microsoftonline.com

outlook.office.com

TCP 443

4

Required: OneDrive For Business

login.windows.net

TCP 443

5

Required: Consumer Outlook.com and OneDrive integration

login.live.com

auth.gfx.ms

account.live.com

graph.microsoft.com

apis.live.net

TCP 443

6

Required: Google integration

accounts.google.com

mail.google.com

www.googleapis.com

TCP 443

7

Required: Yahoo integration

api.login.yahoo.com

social.yahooapis.com

TCP 443

8

Required: DropBox integration

www.dropbox.com

api.dropboxapi.com

TCP 443

9

Required: Box integration

app.box.com

TCP 443

10

Required: Facebook integration

m.facebook.com

graph.facebook.com

TCP 443

11

Required: Evernote integration

www.evernote.com

TCP 443

12

Required: WunderList integration

www.wunderlist.com

a.wunderlist.com

TCP 443

13

Optional: Outlook Privacy

https://bit.ly/outlookprivacy

https://www.acompli.com/privacy-policy/

TCP 443

14

Optional: User voice integration

by.uservoice.com

outlook.uservoice.com

TCP 443

15

Optional: Log upload integration

api.diagnostics.office.com

TCP 443

16

Optional: Support log upload integration

acompli-android-logs.s3.amazonaws.com

s3-us-west-2.amazonaws.com

TCP 443

17

Optional: Aria log integration

mobile.pipe.aria.microsoft.com

TCP 443

18

Optional: Flurry log integration

data.flurry.com

TCP 443

19

Optional: Adjust integration

app.adjust.com

TCP 443

20

Optional: Hockey log integration

rink.hockeyapp.net

sdk.hockeyapp.net

TCP 443

21

Optional: Helpshift integration

acompli.helpshift.com

TCP 443

22

Optional: Play Store integration (Android only)

play.google.com

TCP 443

This is the current list of Office for iPad URLs. If you’re using allow lists to filter iPad connectivity differently than other computers on your network, you can use just this list of URLs to create those allow lists.

Office for iPad URLs

directory.services.live.com
odc.officeapps.live.com
docs.live.net
roaming.officeapps.live.com
nexus.officeapps.live.com
sqm.microsoft.com
watson.telemetry.microsoft.com
login.live.com
wer.microsoft.com         
*-my.sharepoint.com
login.microsoftonline.com
ms.tific.com
p100-sandbox.itunes.apple.com
signup.live.com
auth.gfx.ms
view.atdmt.com
client.hip.live.com
dc2.client.hip.live.com
c.live.com
go.microsoft.com
office.microsoft.com
officeimg.vo.msecnd.net
m.webtrends.com
account.live.com
c.bing.com
partnerservices.getmicrosoftkey.com
client.hip.live.com
clientconfig.microsoftonline-p.net
cl2.apple.com
sas.office.microsoft.com
foodanddrink.services.appex.bing.com
en-US.appex-rf.msn.com
weather.tile.appex.bing.com

This is the current list of Office Mobile URLs. Office Mobile runs on Android devices, Windows Phones, and iPhones. If you’re filtering your mobile connectivity differently than other computers on your network, you can use just this list of URLs to create those allow lists.

Office Mobile URLs

office15client.microsoft.com
odc.officeapps.live.com
go.microsoft.com
login.microsoftonline.com
odcsm.officeapps.live.com
*-my.sharepoint.com
ms.tific.com
roaming.officeapps.live.com
o15.officeredir.microsoft.com
office.microsoft.com
officeimg.vo.msecnd.net
m.webtrends.com
d.docs.live.net
login.live.com
auth.gfx.ms
wer.microsoft.com
*.appex.bing.com
*.appex-rf.msn.com
appexsin.stb.s-msn.com
*.acompli.net
outlook.office365.com
sdfpilot.outlook.com
graph.windows.net
api.office.com
secure.aadcdn.microsoftonline-p.com
login.windows.net
login.windows-ppe.net
com.microsoft.office.outlook.dev
go.microsoft.com
mam.manage.microsoft.com
vortex.data.microsoft.com
login.microsoftonline.com
outlook.office.com
login.windows.net
login.live.com
auth.gfx.ms
account.live.com
graph.microsoft.com
apis.live.net
accounts.google.com
mail.google.com
www.googleapis.com
api.login.yahoo.com
social.yahooapis.com
www.dropbox.com
api.dropboxapi.com
app.box.com
m.facebook.com
graph.facebook.com
www.evernote.com
www.wunderlist.com
a.wunderlist.com
bit.ly/outlookprivacy
www.acompli.com/privacy-policy
by.uservoice.com
outlook.uservoice.com
api.diagnostics.office.com
acompli-android-logs.s3.amazonaws.com
s3-us-west-2.amazonaws.com
mobile.pipe.aria.microsoft.com
data.flurry.com
app.adjust.com
rink.hockeyapp.net
sdk.hockeyapp.net
acompli.helpshift.com
play.google.com

Office 365 remote analyzer tools

To use the Office 365 remote analyzer tools you must be able to connect to the endpoints described below.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Initiate connectivity tests.

Web Browser | Logged on user

testconnectivity.microsoft.com

No

No

Remote Analyzer IP Ranges.

TCP 80 & 443

2

Required: Captcha & support services

Web Browser | Logged on user

client.hip.live.com

wu.client.hip.live.com

support.microsoft.com

No

No

N/A

TCP 80 & 443

3

Required: Execution of the tests selected by the customer.

testconnectivity.microsoft.com | Provided by customer on the testconnectivity website

On-premises systems for email and collaboration.

No

No

Customer IP ranges

80, 443, 25, POP3 on (110, 995, or Custom), IMAP4 on (143, 993, or Custom)

4

Required: Certificate revocation lists

Web Browser | Logged on user

See well known certificate root CRLs in the table below.

No

No

N/A

TCP 80 & 443

Office 365 remote analyzer tools endpoints routable through the Internet only

Well known certificate root FQDNs

13.67.59.89/32
40.85.91.8/32
104.208.36.70/32
104.211.54.99/32
104.211.54.134/32
crl.microsoft.com 
evsecure-ocsp.verisign.com
evsecure-aia.verisign.com
evsecure-crl.verisign.com
ocsp.msocsp.com
sa.symcb.com
sd.symcb.com
*.omniroot.com
*.verisign.com
*.symcb.com
*.symcd.com
*.verisign.net
*.geotrust.com
*.entrust.net
*.public-trust.com

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Office 365 Video | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office Clients | Office Online | Yammer | Sway | Planner)

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×