Sign in

Office 365 URLs and IP address ranges

Summary   : This reference article lists every endpoints used by Office 365. If your organization restricts computers on your network from connecting to the Internet, this article lists the endpoints (FQDNs, Ports, URLs, IPv4, and IPv6 address ranges) that you should include in your outbound allow lists to ensure your computers can successfully use Office 365. If you are using Office 365 operated by 21Vianet in China, see URLs and IP address ranges for Office 365 operated by 21Vianet.

Subscribe via RSS RSS to receive notice when URLs and IP addresses are changed. This reference article lists the endpoints for Office 365. Filtering internet traffic requires advanced networking knowledge and isn't suitable for all customers. Additional resources for planning your network connectivity include Office 365 network traffic management, Content delivery networks, and Client connectivity.

Download the XML file for a pure list of the endpoints organized by application.

Warning: IP addresses filtering alone isn’t a complete solution due to dependencies on Content Delivery Networks (CDNs). The following are some of the reasons to use either FQDNs only or a combination of FQDNs and IP addresses:

  • Some clients such as the Office 365 admin portal or Outlook Web App won’t be able to authenticate without contacting CDNs.

  • CDN, CRL, and other partners don't publish IP addresses.

  • New Office 365 infrastructure won’t become instantly available to client computers.

  • Some firewall providers and security policies don't allow for wildcards.

  • Updates will be required as frequently as weekly.

  • Future non-web based clients may not be able to authenticate.

  • There will be more emergency or retroactive updates.

Tip: If IP address filtering is your only option at the firewall, an automatic proxy configuration file can be used to route the destinations marked below as CDNs through an alternate path, such as through an outbound proxy. See Office 365 network traffic management for help with more complex routing configurations.

Most changes are made 14-30 days ahead of the endpoint being used. We understand that emergency changes with less notice are difficult to manage and strive to make these infrequently. If possible, use FQDN filtering instead of IP filtering to reduce the impact of emergency changes. Subscribe to the RSS feed to have notifications pushed to you. Here is how to subscribe via Outlook or you can have the RSS feed updates emailed to you.

Some of our services do overlap with one another and you will notice the overlap or duplication in the lists of endpoints. There is also some domain name overlapping with our consumer services; while the root domain name is the same, Office 365 operates from a separate sub-domain. If you’re going to add IP addresses to your allow lists, keep in mind that IPv6 is optional and not required. We provide it here for customers who wish to use IPv6.

Note: The endpoints listed as a Yes in the ExpressRoute for Office 365 column are available both over the internet and over ExpressRoute with Microsoft peering configured. Some services that Office 365 leverages are also available with Public peering configured and those are noted here; however, Public peering is not required to use ExpressRoute with Office 365 for the Office 365 applications supported over ExpressRoute.

Office 365 portal and shared

The endpoints listed in this section are only to support the portal and shared services portion of Office 365. You’ll want to add these along with the endpoints for each of the workloads you’re deploying on your network.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Office 365 Portal

Client Computer | Logged on user

*.office365.com

No

No

Portal and shared IP ranges.

TCP 443

2

Required: Office 365 Portal

Client Computer | Logged on user

Home.Office.com

Portal.Office.com

agent.office.net

www.office.com

outlook.office365.com

No

Yes

Portal and shared IP ranges & Exchange Online IP ranges.

TCP 443

portal.microsoftonline.com

No

No

Portal and shared IP ranges.

TCP 443

3

Required: CDNs used for portal and shared

Client Computer | Logged on user

Prod.msocdn.com

appsforoffice.microsoft.com

Microsoft and Akamai

No

N/A

TCP 443

4

Required: Shared infrastructure

Client Computer | Logged on user

Clientlog.portal.office.com

Nexus.officeapps.live.com

nexusrules.officeapps.live.com

Various

No

Portal and shared IP ranges.

TCP 443

5

Required: Certificate revocation lists

Client Computer | Logged on user

See well known certificate root CRLs in the table below.

No

No

N/A

TCP 80 & 443

6

Required: Some Office 365 features require endpoints within these domains.

Client Computer | Logged on user

*.onmicrosoft.com

*.microsoft.com

*.office.com

*.msedge.net

*.office.net

*.live.com

*.msocdn.com

No

No

N/A

TCP 443

7

Optional: Shared help and support

Client Computer | Logged on user

support.office.com

products.office.com

technet.microsoft.com

Various

No

N/A

TCP 80 & 443

8

Optional: Deprecated FQDNs

Client Computer | Logged on user

*.glbdns.microsoft.com

No

No

N/A

TCP 80 & 443

9

Optional: Azure Rights Management

Client Computer | Logged on user

*.aadrm.com

*.azurerms.com

ecn.dev.virtualearth.net

No

No

N/A

TCP 443

*.cloudapp.net2

No

Varies3

N/A

TCP 443

10

Optional: Microsoft Azure RemoteApp

Client Computer | Logged on user

dc.services.visualstudio.com

liverdcxstorage.blob.core.windowsazure.com

telemetry.remoteapp.windowsazure.com

vortex.data.microsoft.com

www.remoteapp.windowsazure.com

No

Varies3

N/A

TCP 443

11

Optional: Office 365 Management Pack for Operations Manager

Customer Operations Manager environment | Machine1 Account

office365servicehealthcommunications.cloudapp.net

No

Varies3

N/A

TCP 443

12

Optional: Import Service for PST and file ingestion

Refer to the Azure Import/Export Service documentation for additional requirements.

13

Optional: Cloud App Security

Client Computer | Logged on user

*.Portal.cloudappsecurity.com

No

No

104.42.231.28 104.209.35.177 13.91.98.185

TCP 443

14

Optional: Security and Compliance export

Client Computer | Logged on user

protection.office.com

*.blob.core.windows.net

office365zoom.cloudapp.net

equivioprod*.cloudapp.net

zoom-cs-prod*.cloudapp.net

equivio.office.com

No

Varies3

N/A

TCP 443

1Keep in mind that Machine accounts won’t work with proxies that require outbound authentication.

2Azure Rights Management Office 2010 Clients Only.

3 See additional information about supported services over Azure ExpressRoute and the Public peering path.

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)

Network card (NIC)

Expand to see the portal and shared IP ranges

Note: ExpressRoute for Office 365 currently does not support IPv6. Customers not using ExpressRoute will want to ensure both IP lists below are reachable over the internet.

Office 365 portal and shared IPv4 endpoints routable through the Internet and ExpressRoute

Office 365 portal and shared IPv4 endpoints routable through the Internet only

Office 365 portal and shared IPv6 endpoints routable through the Internet only

Office 365 Certificate Revocation List (Root URLs)

13.107.6.156
13.107.6.157
13.107.6.160
13.107.7.156
13.107.7.190
13.107.7.191
13.107.9.156
13.107.9.157
13.107.9.160
23.97.66.55
40.83.185.155
40.83.185.230
40.83.187.76
40.83.190.168
40.84.145.72
40.112.187.89
40.114.92.213
40.117.96.104
40.117.100.187
40.117.229.133
40.117.229.194
65.52.240.200
65.54.80.0/20
65.55.239.168
94.245.117.53
111.221.104.43
157.55.59.128/25
157.55.130.0/25
157.55.145.0/25
157.55.155.0/25
157.55.194.46
157.55.227.192/26
168.63.92.133
191.238.160.173
207.46.73.250
207.46.216.54
213.199.128.119
13.76.218.117
13.76.219.191
13.76.219.210
13.91.98.185
23.96.240.104
23.97.61.137
23.97.150.21
23.97.152.190
23.97.209.97
23.99.109.44
23.99.109.64
23.99.116.116
23.99.121.207
23.100.86.91
23.101.14.229
23.101.30.126
23.102.4.253
23.102.155.140
40.76.1.176
40.76.8.142
40.76.12.4
40.76.12.162
40.83.189.49
40.113.8.255
40.113.10.78
40.113.11.93
40.113.14.159
40.117.144.240
40.117.151.29
40.121.144.182
40.122.168.103
65.52.26.28
65.52.144.46
65.52.148.27
65.52.160.218
65.52.176.72
65.52.176.186
65.52.184.75
65.52.192.203
65.52.196.64
65.52.219.207
70.37.96.155
70.37.97.234
94.245.88.28
94.245.108.85
104.41.207.73
104.42.231.28
104.43.140.223
104.45.11.195
104.45.214.112
104.46.1.211
104.46.38.64
104.46.50.125
104.209.35.177
104.209.190.8
104.210.4.77
104.210.40.87
104.210.212.243
104.214.35.244
104.215.146.200
104.215.198.144
111.221.96.149
111.221.111.196
137.116.66.126
137.116.81.187
157.55.177.39
157.55.184.223
157.55.80.94
168.61.146.25
168.61.149.17
168.61.170.80
168.61.172.71
168.62.106.152
168.62.204.209
168.62.29.225
168.62.43.8
168.63.17.108
168.63.18.79
168.63.29.74
168.63.100.61
168.63.138.56
168.63.172.54
168.63.213.238
191.236.88.160
191.236.155.80
191.237.218.239
191.238.177.236
207.46.134.255
207.46.153.155
2603:1040:401::d:80
2603:1040:401::a
2603:1040:401::9
2603:1040:401::b
2603:1040:401::c
2603:1030:800:5::bfee:a0ad
2620:1ec:34::/48
2620:1ec:38d::/48
2620:1ec:4::/48
2620:1ec:5::/48
2620:1ec:6::/48
2620:1ec:7::/48
2620:1ec:a::/48
2620:1ec:a92::/48
2620:1ec:b::/48
2620:1ec:c11::/48
2620:1ec:a92::156
2620:1ec:a92::157
2a01:111:202e::190
2a01:111:202e::191
2a01:111:202e::156
2620:1ec:4::156
2620:1ec:4::157
2620:1ec:a92::160
2620:1ec:4::160
2801:80:1d0:1c00::/64
2a01:111:2003::/48
2a01:111:200a:a::/64
2a01:111:202c::/48
2a01:111:202e::/48
2a01:111:202d::/48
2a01:111:2035:8::/64
2a01:111:f100:1002::4134:d9ee 
2a01:111:f100:1004::4134:f0c8
2a01:111:f100:7000::6fdd:682b
2a01:111:f100:8001::d5c7:8077
2a01:111:f102:8001::1761:4237
2a01:111:f100:a001::a83f:5c85
2a01:111:f406:1::/64
2a01:111:f406:1000::/64
2a01:111:f406:1004::/64
2a01:111:f406:1801::/64
2a01:111:f406:1805::/64
2a01:111:f406:3404::/64
2A01:111:F406:8000::/64
2a01:111:f406:8801::/64
2a01:111:f406:a003::/64
2a01:111:f406:c00::/64
2001:489a:2101:100::/64
crl.microsoft.com 
evsecure-ocsp.verisign.com
evsecure-aia.verisign.com
evsecure-crl.verisign.com
ocsp.msocsp.com
sa.symcb.com
sd.symcb.com
*.omniroot.com
*.verisign.com
*.symcb.com
*.symcd.com
*.verisign.net
*.geotrust.com
*.entrust.net
*.public-trust.com

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)

Office 365 authentication and identity

To use this application, you must be able to connect to the endpoints described below. To see the IP addresses, expand the IP address section below the table describing the traffic flow.

If you’re using Active Directory Federation Services (AD FS) with your deployment, you can also use AD FS client access policies with Windows Server 2012 R2 or client access policies with AD FS 2.0 to further restrict and control access to Office 365.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

2

Required: Authentication and identity

Client Computer | Logged on user

Login.microsoftonline.com

Login.windows.net

clientconfig.microsoftonline-p.net

hip.microsoftonline-p.net

*.microsoftonline.com

No

Yes

Authentication and Identity IP ranges

TCP 443

*.windows.net

secure.aadcdn.microsoftonline-p.com

*.microsoftonline-p.com

*.microsoftonline-p.net

No

No

N/A

TCP 443

3

Optional: Legacy/temporary FQDNs

Client Computer | Logged on user

*.msecnd.net

*.microsoft.com

Akamai and Microsoft

No

N/A

TCP 443

4

Optional: Multi-factor authentication (MFA)

Client Computer | Logged on user

account.activedirectory.windowsazure.com

secure.aadcdn.microsoftonline-p.com3

No

No

Microsoft Azure Active Directory (MFA) IP and FQDNs

TCP 443

5

Optional: DirSync (legacy)

DirSync Server | Machine1 and Service Account

*.microsoftonline.com

Login.windows.net

provisioningapi.microsoftonline.com

adminwebservice.microsoftonline.com

No

Yes

Authentication and Identity IP ranges

TCP 443

mscrl.microsoft.com

No

No

N/A

TCP 80 & 443

6

Optional: Azure AD Connect (recommended)

Azure AD Connect Server | Service Account

*.microsoftonline.com

Login.windows.net

provisioningapi.microsoftonline.com

adminwebservice.microsoftonline.com

No

Yes

Authentication and Identity IP ranges

TCP 443

mscrl.microsoft.com

secure.aadcdn.microsoftonline-p.com3

No

No

N/A

TCP 80 & 443

7

Optional: Azure AD Connect (w/SSO option) – WinRM & remote powershell

Client Computer | Service Account

Customer STS environment (AD FS Server and AD FS Proxy) | Ports TCP 80 & 443

No

No

Customer environment

TCP 80 & 443

8

Optional: STS such as AD FS Proxy server(s) (for federated customers only)

Client Computer | N/A

Customer STS (such as AD FS Proxy) | Ports TCP 443 or TCP 49443 w/ClientTLS

No

No

Customer environment

TCP 443 or TCP 49443 w/ClientTLS

9

Optional: AD FS Proxy server(s) (for federated customers only)

Customer AD FS Proxy (WAP) | N/A

Customer AD FS Server (FS) | Port TCP 443

No

No

Customer environment

TCP 443

10

Optional: Azure AD Connect Health

Azure AD Connect Health Server | Service Account

management.azure.com

*.blob.core.windows.net

*.queue.core.windows.net

*.servicebus.windows.net - Port: 5671 (If 5671 is blocked, agent falls back to 443, but using 5671 is recommended.)

*.adhybridhealth.azure.com

*.table.core.windows.net

policykeyservice.dc.ad.msft.net

secure.aadcdn.microsoftonline-p.com

Microsoft

Varies2

N/A

TCP 443

login.windows.net

login.microsoftonline.com

No

Yes

Authentication and Identity IP ranges

TCP 443

11

Optional: Office 365 Management Pack for Operations Manager

Customer Operations Manager environment | Machine1 Account

office365servicehealthcommunications.cloudapp.net

No

Varies2

N/A

TCP 443

1Keep in mind that Machine accounts won’t work with proxies that require outbound authentication.

2 See additional information about supported services over Azure ExpressRoute and the Public peering path.

3 This FQDN needs to be in your client's IE Trusted Sites Zone to function.

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)

Network card (NIC)

Expand to see the authentication and identity IP ranges

Note: ExpressRoute for Office 365 currently does not support IPv6

Office 365 authentication and identity IPv4 endpoints routable through the Internet and ExpressRoute

Office 365 authentication and identity IPv6 endpoints routable through the Internet only

13.67.50.224/29
13.75.48.16/29
13.75.80.16/29
23.96.208.238
23.97.64.252
23.97.66.110
23.97.68.113
23.97.70.147
23.97.72.158
23.97.72.161
23.97.72.165
23.97.98.128
23.97.99.4
23.97.100.76
23.97.100.92
23.97.100.105
23.97.100.152
23.97.103.118
23.97.145.9
23.97.148.36
23.97.148.228
23.98.66.168
23.98.69.116
23.98.70.90
23.99.128.120
23.99.129.26
23.99.129.173
23.99.193.105
23.99.194.77
23.99.196.232
23.99.226.167
23.99.227.124
23.100.16.168/29
23.100.32.136/29
23.100.64.24/29
23.100.72.32/29
23.100.80.64/29
23.100.88.32/29
23.100.101.112/28
23.100.104.16/28
23.100.112.64/29
23.100.120.64/29
23.101.5.104/29
23.101.19.99
23.101.25.224
23.101.144.136/29
23.101.165.168/29
23.101.178.227
23.101.181.128/29
23.101.187.91
23.101.210.24/29
23.101.222.240/28
23.101.224.16/29
23.101.226.16/28
23.102.64.138
23.102.64.255
23.102.65.203
23.102.65.221
40.112.64.16/28
40.113.192.16/29
40.114.120.16/29
40.115.48.147
40.115.52.169
40.115.54.162
40.115.54.55
40.115.55.208
40.115.152.16/28
40.127.67.24/29
52.172.144.16/28
65.52.1.16/29
65.52.64.61
65.52.64.230
65.52.136.224
65.52.144.125
65.52.193.136/29
65.52.228.75
65.52.228.99
65.52.228.100
65.52.232.52
65.52.233.128
65.52.236.160
65.52.240.73
65.52.244.66
65.54.54.32/27
65.54.55.201
65.54.74.0/23
65.54.165.0/25
65.54.170.128/25
65.55.86.0/23
65.55.233.0/27
70.37.56.152
70.37.128.0/23
70.37.142.0/23
70.37.150.128/25
70.37.159.0/24
70.37.160.72
70.37.160.202
94.245.68.0/22
94.245.82.0/23
94.245.84.0/24
94.245.86.0/24
94.245.88.223
94.245.88.194
104.40.240.48/28
104.41.1.233
104.41.13.120/29
104.41.216.16/28
104.42.72.16/29
104.43.208.16/29
104.43.240.16/29
104.44.218.128/25
104.45.0.16/28
104.45.208.104/29
104.46.112.8/29
104.46.224.64/28
104.47.143.47
104.47.146.37
104.209.144.16/29
104.210.48.8/29
104.210.83.160/29
104.210.208.16/29
104.211.16.16/29
104.211.48.16/29
104.211.88.16/28
104.211.98.2
104.211.98.6
104.211.98.138
104.211.98.146
104.211.98.194
104.211.98.246
104.211.99.88
104.211.99.127
104.211.99.181
104.211.99.236
104.211.100.160
104.211.100.170
104.211.100.196
104.211.100.204
104.211.102.225
104.211.152.32/27
104.211.160.36
104.211.161.31
104.211.161.69
104.211.161.150
104.211.161.165
104.211.161.170
104.211.161.171
104.211.161.185
104.211.162.33
104.211.162.51
104.211.162.180
104.211.165.35
104.211.166.139
104.211.164.26
104.211.165.64
104.211.216.32/27
104.211.224.71
104.211.224.118
104.211.225.135
104.211.225.215
104.211.226.231
104.211.226.240
104.211.227.110
104.211.227.238
104.211.229.0
104.211.230.178
104.211.230.245
104.211.231.218
104.211.231.219
104.211.231.147
104.211.231.248
104.215.96.24/29
104.215.144.64/29
104.215.184.16/29
111.221.24.0/21
111.221.70.0/25
111.221.71.0/25
111.221.127.112/28
131.253.120.128
132.245.165.0/25
134.170.67.0/25
134.170.172.128/25
137.135.47.6
137.135.47.4
137.135.47.28
137.116.32.61
137.116.32.101
137.116.48.66
137.116.48.69
137.116.49.27
137.116.64.162
137.116.80.106
137.116.200.108
137.116.242.169
137.117.99.175
137.117.103.21
137.135.42.195
137.135.43.100
137.135.44.73
137.135.48.128
138.91.1.59
138.91.2.208
138.91.2.210
138.91.2.212
138.91.17.43
138.91.17.108
138.91.18.52
138.91.56.78
138.91.56.97
138.91.58.210
138.91.59.239
138.91.59.78
138.91.60.177
138.91.61.153
138.91.61.35
157.55.45.128/25
157.55.59.128/25
157.55.80.175
157.55.80.182
157.55.84.19
157.55.84.237
157.55.130.0/25
157.55.161.59
157.55.161.75
157.55.168.18
157.55.176.63
157.55.185.100
157.55.208.58
157.55.208.198
157.55.208.218
157.55.252.101
157.56.48.128/25
157.56.53.128/25
157.56.55.0/25
157.56.58.0/25
157.56.58.192/26
157.56.151.0/25
157.56.8.78
157.56.12.18
157.56.28.192
168.61.32.214
168.61.35.252
168.61.36.121
168.61.37.63
168.61.38.105
168.61.82.81
168.61.85.180
168.62.4.28
168.62.11.24
168.62.11.117
168.62.16.112
168.62.16.140
168.62.16.149
168.62.16.252
168.62.24.38
168.62.24.104
168.62.24.114
168.62.24.150
168.62.41.25
168.62.42.89
168.62.52.198
168.62.52.203
168.62.56.108
168.62.60.71
168.62.60.80
168.62.104.146
168.62.105.126
168.62.105.217
168.62.176.34
168.62.179.4
168.62.180.151
168.63.16.112
168.63.16.114
168.63.17.221
168.63.25.227
168.63.27.2
168.63.166.200
168.63.165.67
168.63.164.177
168.63.208.73
168.63.214.35
168.63.250.173
168.63.252.39
191.232.2.128/25
191.233.37.141
191.235.135.139
191.235.135.222
191.236.192.179
191.237.248.32/29
191.237.252.192/28
191.238.80.160
191.238.80.241
191.238.81.69
191.238.83.220
191.239.64.124
191.239.64.125
191.239.64.129
191.239.64.130
191.239.64.131
191.239.64.132
191.239.64.133
191.239.64.134
191.239.160.4
191.239.160.93
191.239.160.143
191.239.160.140
191.239.160.144
191.239.160.145
191.239.160.141
191.239.160.142
207.46.57.128/25
207.46.70.0/24
207.46.206.0/23
213.199.128.58
213.199.128.91
213.199.132.97
213.199.148.0/23
2a01:111:f400::/48

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)

Exchange Online

To use this application, you must be able to connect to the endpoints described below. To see the IP addresses, expand the IP address section below the table describing the traffic flow.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

2

Required: Authentication and identity

See Office 365 authentication and identity

3

Required: Exchange Online Protection

See Exchange Online Protection (EOP)

4

Required: Client SMTP Relay

Client Computer | Logged on user

smtp.office365.com

No

Yes

Exchange Online IP ranges.

TCP 587

5

Required: Exchange Online

Client Computer | Logged on user

outlook.office365.com

*.outlook.office.com

No

Yes

Exchange Online IP ranges.

TCP 80 & 443

6

Required: Exchange Online

Client Computer | Logged on user

*.outlook.com

No

No

Exchange Online IP ranges.

TCP 80 & 443

7

Required: Exchange Online

Client Computer | Logged on user

xsi.outlook.com

r1.res.office365.com

r3.res.office365.com

r4.res.office365.com

Akamai

No

N/A

TCP 80 & 443

8

Optional: Exchange Hybrid Only

Existing Exchange Client Access Servers and Mailbox Servers | Machine account1

outlook.office365.com

*.outlook.office.com

No

Yes

Exchange Online IP ranges.

TCP 80 & 443

9

Optional: Exchange Hybrid Co-existence

Exchange Online IP ranges | N/A

Customer on-premise Exchange

No

Yes

Customer IP

TCP 80 & 443

10

Optional: Exchange Hybrid Proxy Authentication

Exchange Online IP ranges | N/A

Customer on-premise STS

No

Yes

Customer IP

TCP 80 & 443

11

Optional: Used to configure Exchange Hybrid, using the Exchange Hybrid Configuration Wizard.

Note: These endpoints are only required to configure Exchange hybrid. Rows 8-10 describe the ongoing traffic.

Existing Exchange service | N/A

hybridconfiguration.azurewebsites.net

*.hybridconfiguration.azurewebsites.net

*.Blob.core.Windows.Net

No

Varies3

65.55.39.128/25

65.55.181.128/25

207.46.150.128/25

207.46.164.0/24

207.46.203.128/26

TCP 80 & 443

Domains.live.com2

No

Yes

65.55.79.128/25

TCP 80 & 443

12

Optional: Exchange Online IMAP4 migration

IMAP4 Service | N/A

outlook.office365.com

*.outlook.office.com

No

Yes

Exchange Online IP ranges.

TCP 143/993

13

Optional: Exchange Online POP3 migration

POP3 Service | N/A

outlook.office365.com

*.outlook.office.com

No

Yes

Exchange Online IP ranges.

TCP 995

14

Optional: All other Exchange Online migration tools

Existing Exchange service (EWS or MRS) | N/A

outlook.office365.com

*.outlook.office.com

No

Yes

Exchange Online IP ranges.

TCP 80 & 443

15

Optional: Required for Delve

Client Computer | Logged on user

Delve.office.com

No

No

Exchange Online IP ranges.

TCP 80 & 443

16

Optional: Required for Delve

Client Computer | Logged on user

r3.res.outlook.com

Akamai

No

N/A

TCP 80 & 443

1Keep in mind that Machine accounts won’t work with proxies that require outbound authentication.

2 Only required for Exchange 2010 SP3 Hybrid Configuration Wizard.

3 See additional information about supported services over Azure ExpressRoute and the Public peering path.

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)

Network card (NIC)

Expand to see the Exchange Online IP Addresses

Note: ExpressRoute for Office 365 currently does not support IPv6

Exchange Online IPv4 endpoints routable through the Internet and ExpressRoute

Exchange Online IPv6 endpoints routable through the Internet only

13.107.6.152
13.107.6.153
13.107.9.152
13.107.9.153
23.103.160.0/20
23.103.224.0/19
40.96.0.0/13
40.104.0.0/15
65.54.62.0/25
65.55.39.128/25
65.55.78.128/25
65.55.79.128/25
65.55.94.0/25
65.55.113.64/26
65.55.126.0/25
65.55.174.0/25
65.55.181.128/25
70.37.151.128/25
94.245.117.128/25
131.253.33.215
132.245.0.0/16
134.170.68.0/23
157.55.9.128/25
157.55.11.0/25
157.55.47.0/24
157.55.49.0/24
157.55.61.0/24
157.55.157.128/25
157.55.224.128/25
157.55.225.0/25
157.56.24.0/25
157.56.96.16/28
157.56.96.224/29
157.56.96.232/29
157.56.106.128/28
157.56.232.0/21
157.56.240.0/20
191.232.96.0/19
191.234.6.152
191.234.140.0/22
191.234.224.0/22
204.79.197.215
206.191.224.0/19
207.46.4.128/25
207.46.58.128/25
207.46.150.128/25
207.46.164.0/24
207.46.198.0/25
207.46.203.128/26
213.199.174.0/25
213.199.177.0/26
2a01:111:f400::/48
2620:1ec:a92::152
2620:1ec:4::152
2620:1ec:a92::153
2620:1ec:4::153

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)

Skype for Business Online

To use Skype for Business Online, you must be able to connect to the endpoints described below. To enable authentication, the endpoints listed in the Office 365 authentication and identity section must be reachable. Similarly, for shared infrastructure and portal services, the endpoints in the portal and shared section are must be reachable. These are rows One and Two respectively. Once the required endpoints in these tables are reachable, ensure the endpoints in the Skype for Business Online table below are reachable. To see the IP addresses, expand the IP address section below the table describing the traffic flow.

Row

Purpose

Source | Credentials

Source Port

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Portal and shared

See Office 365 portal and shared

3

Required: SIP signaling

Client Computer | Logged on user

Ephemeral ports

*.Lync.com

No

Yes

Skype for Business IP ranges.

TCP 443

4

Required: Persistent Shared Object Model (PSOM) connections web conferencing

Client Computer | Logged on user

Ephemeral ports

*.Lync.com

No

Yes

Skype for Business IP ranges.

TCP 443

5

Required: HTTPS downloads

Client Computer | Logged on user

Ephemeral ports

*.Lync.com

No

Yes

Skype for Business IP ranges.

TCP 443

6

Required: Audio

Client Computer | Logged on user

TCP/UDP 50,000-50019

*.Lync.com

No

Yes

Skype for Business IP ranges.

TCP 443, UDP 3478, 3479, 3480, & 3481, TCP/UDP 50,000-59,999

7

Required: Video

Client Computer | Logged on user

TCP/UDP 50,020-50039

*.Lync.com

No

Yes

Skype for Business IP ranges.

TCP 443, UDP 3478, 3479, 3480, & 3481, TCP/UDP 50,000-59,999

8

Required: Desktop sharing

Client Computer | Logged on user

TCP/UDP 50,040-50059

*.Lync.com

No

Yes

Skype for Business IP ranges.

TCP 443, UDP 3478, 3479, 3480, & 3481, TCP/UDP 50,000-59,999

9

Required: Lync Mobile push notifications for Lync Mobile 2010 on iOS devices. You don't need this for Android, Nokia Symbian or Windows Phone mobile devices.

Client Computer | Logged on user

Ephemeral ports

*.Lync.com

No

Yes

Skype for Business IP ranges.

TCP 5223

10

Required: Skype Telemetry

Client Computer | Logged on user

Ephemeral ports

skypemaprdsitus.trafficmanager.net

pipe.skype.com

No

No

N/A.

TCP 443

11

Required: Skype client quicktips

Client Computer | Logged on user

Ephemeral ports

quicktips.skypeforbusiness.com

No

No

N/A.

TCP 443

12

Optional: Federation with Skype and public IM connectivity: Contact picture retrieval

Client Computer | Logged on user

Ephemeral ports

*.api.skype.com

*.users.storage.live.com

No

No

N/A.

TCP 443

13

Optional: Federation with Skype and public IM connectivity: Skype Search

Client Computer | Logged on user

Ephemeral ports

Graph.skype.com

No

No

N/A.

TCP 443

To use Skype Meeting Broadcast, the following endpoints need to be accessible to client computers.

Row

Purpose

Source |Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: For all Skype functionality, the entries are labeled "required".

See Skype for Business Online.

2

Required: Skype Meeting Broadcast

Client computer / logged on user

broadcast.skype.com

*.broadcast.skype.com

*.infra.lync.com

None

No

N/A

TCP 443

3

Required: Skype Meeting Broadcast

Client computer / logged on user

aka.ms

None

No

N/A

TCP 80 & 443

*.microsoftonline.com

None

Yes

Authentication and Identity IP ranges

TCP 443

Note: The wildcard for Lync.com and broadcast.skype.com represents a long list of nodes that are exclusively used for Office 365.

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)

Network card (NIC)

Expand to see the Skype for Business Online IP Addresses

Note: ExpressRoute for Office 365 currently does not support IPv6

Skype for Business Online IPv4 endpoints routable through the Internet and ExpressRoute

Skype for Business Online IPv6 endpoints routable through the Internet only

13.107.8.0/24
23.103.128.0/25
23.103.128.128/25
23.103.129.0/25
23.103.129.128/25
23.103.130.0/26
23.103.130.64/26
23.103.130.128/26
23.103.130.192/26
23.103.176.128/26
23.103.176.192/27
23.103.178.128/26
23.103.178.192/27
65.55.127.0/24
66.119.157.0/25
66.119.157.192/26
66.119.158.0/25
104.44.195.0/24
104.44.200.0/24
104.44.201.0/24
111.221.17.128/27
111.221.22.64/26
111.221.76.128/25
111.221.77.0/26
111.221.122.192/26
131.253.128.0/19
131.253.160.0/20
132.245.0.0/24
132.245.1.0/25
132.245.112.0/24
132.245.113.0/25
132.245.128.0/24
132.245.129.0/25
132.245.161.0/24
132.245.162.0/25
132.245.192.0/24
132.245.193.0/25
132.245.208.0/24
132.245.209.0/25
134.170.0.0/25
134.170.54.0/26
134.170.54.128/25
134.170.113.192/26
134.170.115.128/25
157.55.40.128/25
157.55.46.64/26
157.55.232.128/26
157.55.238.0/25
157.56.135.64/26
157.56.185.0/26
207.46.5.0/24
207.46.57.0/25
2a01:111:2047:2::/64
2a01:111:2047:1::/64
2a01:111:2048:2::/64
2a01:111:2048:1::/64
2a01:111:f406:3406::/64
2a01:111:f406:3405::/64
2a01:111:200f:11::/64
2a01:111:200f:10::/64
2a01:111:2007:3::/64
2a01:111:2007:4::/64
2a01:111:200f:6::/64
2a01:111:200f:7::/64 
2a01:111:200f:8::/64
2a01:111:200f:9::/64
2a01:111:2012:2::/64 
2a01:111:2012:3::/64
2a01:111:2012:4::/64
2a01:111:2012:5::/64
2a01:111:2012:6::/64
2a01:111:2012:7::/64
2a01:111:202a:2::/64
2a01:111:202a:3::/64
2a01:111:202b:3::/64
2a01:111:202b:4::/64
2a01:111:202b:9::/64
2a01:111:202b:a::/64
2a01:111:2034:2::/64
2a01:111:2034:3::/64
2a01:111:2035:6::/64
2a01:111:2035:7::/64
2a01:111:2036:2::/64
2a01:111:2036:3::/64
2a01:111:203e:1::/64
2a01:111:203e:2::/64
2a01:111:2040:1::/64
2a01:111:2040:2::/64
2a01:111:2046:4::/64
2a01:111:2046:5::/64
2a01:111:2a:7::/6
2a01:111:2a:8::/64
2a01:111:f402:5802::/64
2a01:111:f402:5803::/64
2a01:111:f402:5805::/64
2a01:111:f404:0c06::/64
2a01:111:f404:0c07::/64
2a01:111:f404:0c09::/64
2a01:111:f404:0c0a::/64
2a01:111:f404:3400::/64
2a01:111:f404:3401::/64
2a01:111:f404:8002::/64
2a01:111:f404:8003::/64
2a01:111:f404:9400::/64
2a01:111:f404:9401::/64
2a01:111:f404:a000::/64
2a01:111:f404:a001::/64
2a01:111:f404:a800::/64
2a01:111:f404:a801::/64
2a01:111:f404:c0b::/64
2a01:111:f404:c0c::/64
2a01:111:f406:2400::/64
2a01:111:f406:2401::/64
2a01:111:f406:402::/64
2a01:111:f406:403::/64

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)

SharePoint Online

To use this application, you must be able to connect to the endpoints described below. To see the IP addresses, expand the IP address section below the table describing the traffic flow.

This list also applies to many of the new applications that are dependent on SharePoint Online, such as Project Online, and Office 365 Video. The Yammer endpoints are listed separately.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

3

Required: Office Online

See Office Online

4

Required: SharePoint Online and associated applications

Client Computer | Logged on user

*.sharepoint.com

<tenant>.sharepoint.com1

<tenant>-my.sharepoint.com1

<tenant>-files.sharepoint.com1

<tenant>-myfiles.sharepoint.com1

No

Yes

SharePoint Online IP Ranges.

TCP 80 & 443

5

Required: CDNs for SharePoint Online and associated applications

Client Computer | Logged on user

*.sharepointonline.com

Cdn.sharepointonline.com

Static.sharepointonline.com

Prod.msocdn.com

Spoprod-a.akamaihd.net

Microsoft & Akamai

No

N/A

TCP 80 & 443

6

Required: SharePoint Online inbound mail

SharePoint Online IP Ranges | N/A

Customer environment

No

Yes

Customer environment

TCP 25

1 This FQDN needs to be in your client's IE Trusted Sites Zone to function.

To use Office 365 Video, the following endpoints need to be accessible to client computers.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: SharePoint Online endpoints listed above as required

See SharePoint Online

2

Optional: Required for Office 365 Video

Client Computer | Logged on user

*.keydelivery.mediaservices.windows.net

*.streaming.mediaservices.windows.net

No

Yes (Azure Media Services) 1

N/A

TCP 443

3

Optional: Required for Office 365 Video

Client Computer | Logged on user

ajax.aspnetcdn.com

Yes

No

N/A

TCP 443

4

Optional: Required for Office 365 Video

Client Computer | Logged on user

r3.res.outlook.com

Akamai

No

N/A

TCP 443

5

Optional: Required for Office 365 Video

Client Computer | Logged on user

Spoprod-a.akamaihd.net

Akamai

No

N/A

TCP 443

1 See additional information about supported services over Azure ExpressRoute and the Public peering path.

To use OneNote, the following endpoints need to be accessible to client computers.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: SharePoint Online endpoints listed above as required

See SharePoint Online

2

Optional: Required for OneNote notebooks

OneNote | Logged on user

www.onenote.com

No

No

SharePoint Online IP Ranges.

TCP 443

3

Optional: Required for OneNote notebooks

OneNote | Logged on user

cdn.onenote.net

Akamai

No

N/A

TCP 443

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)

Network card (NIC)

Expand to see the SharePoint Online IP Addresses

Note: ExpressRoute for Office 365 currently does not support IPv6. Customers not using ExpressRoute will want to ensure both IP lists below are reachable over the internet.

SharePoint Online IPv4 endpoints routable through the Internet and ExpressRoute

OneNote IPv4 endpoints routable through the Internet only

SharePoint Online IPv6 endpoints routable through the Internet only

13.107.6.150/31
13.107.9.150/31
40.108.0.0/19
40.108.128.0/17
104.146.0.0/19
104.146.128.0/17
134.170.200.0/21
134.170.208.0/21
191.232.0.0/23
191.234.8.0/21
191.234.76.0/23
191.234.128.0/21
191.234.144.0/20
191.234.192.0/19
191.235.0.0/20
13.69.155.226
23.99.92.12
23.101.62.52
40.76.209.44
104.40.218.86
104.46.43.8
104.209.130.88
137.116.50.49
138.91.247.166
168.61.25.60
2620:1ec:a92::150
2620:1ec:4::150
2a01:111:f402::/48
2801:80:1d0:1400::/54

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)

Exchange Online Protection (EOP)

To use this application, you must be able to connect to the endpoints described below. To see the IP addresses, expand the IP address section below the table describing the traffic flow.

Row

Purpose

Source | Credentials

Source Port

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: EOP

Client Computer | Logged on user

TCP 80 & 443

*.protection.outlook.com

No

Yes

See Exchange Online Protection IP Addresses

TCP 443

3

Required: Send email

Existing email environment | N/A

TCP 25

<customer domain-key>.mail.protection.outlook.com

No

Yes

See Exchange Online Protection IP Addresses

TCP 25

4

Required: Receive email

See Exchange Online Protection IP Addresses | N/A

TCP 25

Existing email environment

No

Yes

See Exchange Online Protection IP Addresses

TCP 25

Note: The wildcard in the second row of the EOP table represents a long list of nodes that are exclusively used for Exchange Online Protection. No other commercial or consumer services use this namespace.

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)

Office 365 remote analyzer tools

To use this application, you must be able to connect to the endpoints described below. To see the IP addresses, expand the IP address section below the table describing the traffic flow.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Initiate connectivity tests.

Web Browser | Logged on user

testconnectivity.microsoft.com

No

No

Remote Analyzer IP Ranges.

TCP 80 & 443

2

Required: Captcha & support services

Web Browser | Logged on user

client.hip.live.com

wu.client.hip.live.com

support.microsoft.com

No

No

N/A

TCP 80 & 443

3

Required: Execution of the tests selected by the customer.

testconnectivity.microsoft.com | Provided by customer on the testconnectivity website

On-premises systems for email and collaboration.

No

No

Customer IP ranges

80, 443, 25, POP3 on (110, 995, or Custom), IMAP4 on (143, 993, or Custom)

4

Required: Certificate revocation lists

Web Browser | Logged on user

See well known certificate root CRLs in the table below.

No

No

N/A

TCP 80 & 443

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)

Network card (NIC)

Expand to see the Remote Analyzer IP Addresses

Office 365 remote analyzer tools endpoints routable through the Internet only

Well known certificate root FQDNs

13.67.59.89
40.85.91.8
104.208.36.70
crl.microsoft.com 
evsecure-ocsp.verisign.com
evsecure-aia.verisign.com
evsecure-crl.verisign.com
ocsp.msocsp.com
sa.symcb.com
sd.symcb.com
*.omniroot.com
*.verisign.com
*.symcb.com
*.symcd.com
*.verisign.net
*.geotrust.com
*.entrust.net
*.public-trust.com

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)

Yammer

To use this application, you must be able to connect to the endpoints described below. To see the IP addresses, expand the IP address section below the table describing the traffic flow.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

3

Required: Yammer

Client Computer | Logged on user

*.yammer.com1

*.yammerusercontent.com1

No

No

Yammer IP Ranges.

TCP 443

4

Required: Yammer

Client Computer | Logged on user

*.assets-yammer.com1

Varies

No

N/A

TCP 443

5

Optional: Document, video, & image storage/rendering

Client Computer | Logged on user

ajax.googleapis.com

*.cloudfront.net

No

No

N/A

TCP 443

1 This FQDN needs to be in your client's IE Trusted Sites Zone to function.

Note: The wildcard for yammer.com represents a long list of nodes that are exclusively used for Office 365.

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)

Network card (NIC)

Expand to see the Yammer IP Addresses

Yammer IPv4 endpoints routable through the Internet only

13.107.6.158
13.107.6.159
13.107.9.158
13.107.9.159
134.170.148.0/22

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)

Office 365 ProPlus

To use this application, you must be able to connect to the endpoints described below. To see the IP addresses, expand the IP address section below the table describing the traffic flow.

If you’re interested in bypassing the CDN for your deployment, you can build an internal installation point.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: This url is needed to renew the product key approximately every 30 days

Office client only | Local system

activation.sls.microsoft.com

No

No

N/A

TCP 443

3

Required: This URL is required to validate certificates during activation

Office client only | Local system

crl.microsoft.com

No

No

N/A

TCP 80 & 443

4

Required: Required for identity and configuration services

Office client only | Local system

odc.officeapps.live.com

Microsoft & Akamai

No

Office 365 ProPlus IP Ranges and CDN IP addresses not provided.

TCP 443

5

Required: This URL is the Office Licensing Service, which is used during activation and subscription maintenance

Office client only | Local system

ols.officeapps.live.com

Microsoft & Akamai

No

Office 365 ProPlus IP Ranges and CDN IP addresses not provided.

TCP 443

6

Required: Runtime client configuration.

Office client only | Local system

office15client.microsoft.com

officeclient.microsoft.com

Microsoft & Akamai

No

Office 365 ProPlus IP Ranges and CDN IP addresses not provided.

TCP 443

7

Required: These FQDNs are required to support in-app redirection.

Office client only | Local system

ocsredir.officeapps.live.com

r.office.microsoft.com

officeredir.microsoft.com

o15.officeredir.microsoft.com

officepreviewredir.microsoft.com

No

No

N/A

TCP 80 & 443

8

Required: This FQDN is required to support the recent documents function.

Office client only | Local system

ocws.officeapps.live.com

No

No

N/A

TCP 443

9

Required: Contains Office 365 ProPlus source media used for installation and/or updates. If automatic updates are configured in the default settings, the local system account is used when downloading updates.

Office client only | Logged on user

officecdn.microsoft.com

officecdn.microsoft.com.edgesuite.net

officecdn.microsoft.com.edgekey.net

Microsoft & Akamai

No

N/A

TCP 80 & 443

10

Required: In-app help.

Office client only | Anonymous

ocsa.officeapps.live.com

Microsoft & Akamai

No

N/A

TCP 80 & 443

11

Required: Bing image search.

Office client only | Anonymous

insertmedia.bing.office.net

No

No

N/A

TCP 80 & 443

12

Required: This URL is used to redirect to web content such as online help and error code information.

Office client only | Logged on user

go.microsoft.com

Microsoft & Akamai

No

N/A

TCP 80

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)

Network card (NIC)

Expand to see the Office 365 ProPlus IP Addresses

Office 365 ProPlus IPv4 endpoints routable through the Internet only

13.107.12.51
104.40.234.17
104.210.220.25
191.236.108.93
191.236.157.212

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)

Office Online

To use this application, you must be able to connect to the endpoints described below. To see the IP addresses, expand the IP address section below the table describing the traffic flow.

Row

Purpose

Source |Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

3

Required: Office Online

Client Computer | Logged on user

*.officeapps.live.com

No

Yes

Office Online IP Ranges.

TCP 443

4

Required: Content Delivery Network for Office Web Apps

Client Computer | Logged on user

*.cdn.office.net

Akamai

No

N/A

TCP 443

Note: The wildcard for officeapps.live.com represents a long list of nodes such as excel.officeapps.live.com that are used for Office Online.

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)

Network card (NIC)

Expand to see the Office Online IP Addresses

Note: ExpressRoute for Office 365 currently does not support IPv6

Office Web Apps IPv4 endpoints routable through the Internet and ExpressRoute

Office Web Apps IPv6 endpoints routable through the Internet only

13.69.187.20
13.71.155.176
23.103.183.15
40.74.130.243
40.76.54.124
40.117.226.146
40.126.236.216
40.127.79.139
104.40.225.204
104.41.62.54
104.211.103.207
104.211.229.230
104.214.38.136
104.215.194.17
134.170.27.86
134.170.48.20
134.170.48.22
134.170.65.86
134.170.170.86
137.116.172.39
168.63.99.250
2a01:111:f406:8800::/64
2a01:111:f406:400::/64
2a01:111:f406:1c01::/64
2a01:111:f406:9400::/64
2a01:111:f406:2402::/64
2a01:111:f406:a804::/64 
2a01:111:f406:b401::/64
2620:1ec:c11::204
2a01:111:202c::204
2620:1ec:c11::205
2a01:111:202c::205

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)

Sway

To use this application, you must be able to connect to the endpoints described below. To see the IP addresses, expand the IP address section below the table describing the traffic flow.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

3

Required: Sway

Client Computer | Logged on user

sway.com

www.sway.com

eus-www.sway.com

eus-000.www.sway.com

eus-001.www.sway.com

eus-002.www.sway.com

eus-003.www.sway.com

eus-004.www.sway.com

eus-005.www.sway.com

eus-006.www.sway.com

eus-007.www.sway.com

eus-008.www.sway.com

eus-009.www.sway.com

eus-00a.www.sway.com

eus-00b.www.sway.com

eus-00c.www.sway.com

eus-00d.www.sway.com

eus-00e.www.sway.com

wus-www.sway.com

wus-000.www.sway.com

wus-001.www.sway.com

wus-002.www.sway.com

wus-003.www.sway.com

wus-004.www.sway.com

wus-005.www.sway.com

wus-006.www.sway.com

wus-007.www.sway.com

wus-008.www.sway.com

wus-009.www.sway.com

wus-00a.www.sway.com

wus-00b.www.sway.com

wus-00c.www.sway.com

wus-00d.www.sway.com

wus-00e.www.sway.com

No

No

Sway IP Ranges.

TCP 443

4

Required: Sway

Client Computer | Logged on user

eus-www.sway-cdn.com

wus-www.sway-cdn.com

eus-www.sway-extensions.com

wus-www.sway-extensions.com

Akamai

No

N/A

TCP 443

5

Optional: Sway website analytics

Client Computer | Logged on user

c.microsoft.com c1.microsoft.com

prod.msocdn.com

www.google-analytics.com

No

No

N/A

TCP 443

6

Optional: Sway third party content

Client Computer | Logged on user

Access to third party content such as Bing, Flickr, and so on.

No

No

N/A

TCP 443

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)

Network card (NIC)

Expand to see the Sway IP Addresses

Sway IPv4 endpoints routable through the Internet only

40.76.22.51
40.76.30.255
40.76.213.143
40.76.216.125
40.76.221.181
40.76.222.175
40.83.185.108
40.114.8.214
40.114.14.121
40.114.15.142
40.114.45.182
40.114.40.12
40.114.51.204
40.114.51.239
40.118.210.94
40.112.188.120
40.118.131.134
40.118.135.86
40.118.131.27
40.118.209.10
104.41.155.129
104.210.43.160
137.135.51.71
137.135.52.204
138.91.155.70
138.91.159.117
138.91.160.172
138.91.245.66

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)

Planner

To use this application, you must be able to connect to the endpoints described below. To see the IP addresses, expand the IP address section below the table describing the traffic flow.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

3

Required: Planner

Browser/ authenticated user

tasks.office.com

controls.office.com

cus-000.tasks.osi.office.net

ea-000.tasks.osi.office.net

eus-zzz.tasks.osi.office.net

neu-000.tasks.osi.office.net

sea-000.tasks.osi.office.net

weu-000.tasks.osi.office.net

wus-000.tasks.osi.office.net

No

No

Planner IP Ranges.

TCP 443

4

Required: Planner

Browser/ authenticated user

outlook.office365.com

www.outlook.com

No

Yes

Exchange Online IP ranges & Portal and shared IP ranges.

TCP 443

5

Required: Planner

Browser/ authenticated user

clientlog.portal.office.com

No

No

Portal and shared IP ranges.

TCP 443

6

Required: Planner CDNs

Browser/ authenticated user

ajax.aspnetcdn.com

prod.msocdn.com

Akamai

No

N/A

TCP 443

Network card (NIC)

Expand to see the Planner IP Addresses

Planner IPv4 endpoints routable through the Internet only

13.107.5.82
13.107.5.83
13.107.13.82
13.107.13.83
65.52.168.35
137.116.129.218
137.135.177.165
168.61.184.237
168.62.4.34
168.62.60.117
168.63.98.5

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)

Office for iPad

This is the current list of Office for iPad URLs. If you’re using allow lists to filter iPad connectivity differently than other computers on your network, you can use just this list of URLs to create those allow lists.

Office for iPad URLs

directory.services.live.com
odc.officeapps.live.com
docs.live.net
roaming.officeapps.live.com
nexus.officeapps.live.com
sqm.microsoft.com
watson.telemetry.microsoft.com
login.live.com
wer.microsoft.com         
microsoft-my.sharepoint.com
login.microsoftonline.com
ms.tific.com
msft.sts.microsoft.com
p100-sandbox.itunes.apple.com
signup.live.com
auth.gfx.ms
view.atdmt.com
client.hip.live.com
dc2.client.hip.live.com
c.live.com
go.microsoft.com
office.microsoft.com
officeimg.vo.msecnd.net
m.webtrends.com
account.live.com
c.bing.com
partnerservices.getmicrosoftkey.com
client.hip.live.com
clientconfig.microsoftonline-p.net
cl2.apple.com
sas.office.microsoft.com
foodanddrink.services.appex.bing.com
en-US.appex-rf.msn.com
weather.tile.appex.bing.com

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)

Office Mobile

This is the current list of Office Mobile URLs. Office Mobile runs on Android devices, Windows Phones, and iPhones. If you’re filtering your mobile connectivity differently than other computers on your network, you can use just this list of URLs to create those allow lists.

Office Mobile URLs

office15client.microsoft.com
odc.officeapps.live.com
go.microsoft.com
login.microsoftonline.com
msft.sts.microsoft.com
odcsm.officeapps.live.com
microsoft-my.sharepoint.com
ms.tific.com
roaming.officeapps.live.com
o15.officeredir.microsoft.com
office.microsoft.com
officeimg.vo.msecnd.net
m.webtrends.com
d.docs.live.net
login.live.com
auth.gfx.ms
wer.microsoft.com
*.appex.bing.com
*.appex-rf.msn.com
appexsin.stb.s-msn.com

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)



Was this information helpful?

How can we improve it?

How can we improve it?

To protect your privacy, please do not include contact information in your feedback. Review our privacy policy.

Thank you for your feedback!