Office 365 URLs and IP address ranges

Summary   : If your organization uses Office 365 and restricts computers on your network from connecting to the Internet, below you'll find the endpoints (FQDNs, Ports, URLs, IPv4, and IPv6 address ranges) that you should include in your outbound allow lists to ensure your computers can successfully use Office 365.

Office 365 endpoints: Worldwide | Office 365 operated by 21 Vianet | Office 365 US Government Defense

Last updated: 11/28/2016 - See what changed

Tips: Subscribe via RSS RSS to receive notice when endpoints are changed.

Use the XML file to view a single list with all of the endpoints or to automatically process changes.

Office 365requires internet connectivity from every computer connecting to the service.

If you're configuring access from your network to Office 365, managing Office 365 endpoints describes how to manage your firewall and proxy settings with scripts and sample PAC files.

If you're troubleshooting access to Office 365, troubleshooting Office 365 connectivity describes how to troubleshoot endpoints found in your network traces or firewall logs.

Content delivery networks and client connectivity offer more insight into how clients connect to Office 365 and how standard internet services are incorporated.

Warning: IP addresses filtering alone isn’t a complete solution due to dependencies on internet based services such as Domain Name Services, Content Delivery Networks (CDNs), Certificate Revocation Lists, and other third party or dynamic services. These dependencies include dependencies on other Microsoft services such as the Azure Content Delivery Network and will result in network traces or firewall logs indicating connections to IP addresses owned by third parties or Microsoft but not listed on this page. These unlisted IP addresses, whether from third party or Microsoft owned CDN and DNS services are dynamically assigned and can change at any time.

  • Some clients such as the Office 365 admin portal or Outlook Web App won’t be able to authenticate without contacting CDNs.

  • CDN, CRL, and other partners don't publish IP addresses.

  • New Office 365 infrastructure won’t become instantly available to client computers.

  • Some firewall providers and security policies don't allow for wildcards.

  • Updates will be required as frequently as weekly for both planned and emergency changes.

  • Future non-web based clients may not be able to authenticate.

Tip: If IP address filtering is your only option at the firewall, an automatic proxy configuration file can be used to route the destinations marked below as CDNs through an alternate path, such as through an outbound proxy. See the Routing office 365 traffic over the internet and ExpressRoute scenario in the article Routing with ExpressRoute for Office 365 for help with more complex routing configurations.

Every Office 365 service requires the endpoints in the Office 365 portal and shared as well as the Office 365 authentication and identity to function. Beyond that you'll need to select the services you've deployed or plan to deploy in your organization and filter accordingly. If you've fully adopted all Office 365 services in your organization, the entries from every service section below are required. If not, use these links to get to just the services your organization has adopted. The FQDNs and IP addresses tables are collapsed to improve navigation, you'll need to expand the sections to see the tables. If you want to search for a specific endpoint, search the XML file for the current list of endpoints organized by service or the RSS feed to see a historical view including the dates when specific endpoints were added or removed.

Changes for each Office 365 service are combined and published at the end of each month. Occasionally emergency changes will occur outside of the end of month publishing. Expect changes three business days prior to the last business day of the month. When an endpoint is added, an effective date is listed in the RSS feed. If you're new to RSS, here is how to subscribe via Outlook or you can have the RSS feed updates emailed to you.

Some of our services do overlap with one another and you will notice the overlap or duplication in the lists of endpoints. There is also some domain name overlapping with our consumer services; while the root domain name is the same, Office 365 operates from a separate sub-domain. If you’re going to add IP addresses to your allow lists, keep in mind that IPv6 is optional and not required. We provide it here for customers who wish to use IPv6.

The endpoints listed as a Yes in the ExpressRoute for Office 365 column are available both over the internet and over ExpressRoute with Microsoft peering configured. Some services that Office 365 leverages are also available with Public peering configured and those are noted here; however, Public peering is not required to use ExpressRoute with Office 365 for the Office 365 applications supported over ExpressRoute.

There's a lot of information on this page, can we present it to you in a simpler way?

Please consider voicing your thoughts at the bottom of this page, under the heading Was this information helpful? Click yes or no and enter detailed feedback. The more feedback we get from you the easier it will be for us to improve the page.

Office 365 portal and shared

To use any Office 365 services, you must be able to connect to the endpoints marked required below. If your organization uses the Office 365 management pack, Cloud App Security, or the Security and Compliance export services, you'll find the associated endpoints below. All IP addresses entered directly in the Destination IP column are also listed in the IP tables and XML file for your convenience.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Office 365 Portal

Client Computer | Logged on user

*.office365.com

No

No4

Portal and shared IP ranges.

TCP 443

2

Required: Office 365 Portal

Client Computer | Logged on user

home.office.com

portal.office.com

agent.office.net

www.office.com

outlook.office365.com

No

Yes

Portal and shared IP ranges & Exchange Online IP ranges.

TCP 443

portal.microsoftonline.com

No

No

Portal and shared IP ranges.

TCP 443

3

Required: CDNs used for portal and shared

Client Computer | Logged on user

prod.msocdn.com

appsforoffice.microsoft.com

Microsoft and Akamai

No

N/A

TCP 443

4

Required: Shared infrastructure

Client Computer | Logged on user

clientlog.portal.office.com

nexus.officeapps.live.com

nexusrules.officeapps.live.com

Various

No

Portal and shared IP ranges.

TCP 80 & 443

accounts.office.net

No

Yes

207.46.141.38/32
13.78.120.99/32
13.92.181.66/32
23.96.253.65/32
52.178.146.67/32
13.84.222.249/32
52.187.78.144/32
104.40.178.127/32
104.214.144.62/32
104.42.225.143/32
168.62.104.83/32

5

Required: Certificate revocation lists

Client Computer | Logged on user

See well known certificate root CRLs in the table below.

No

No

N/A

TCP 80 & 443

6

Required: Some Office 365 features require endpoints within these domains.

Note: Many specific FQDNs within these wildcards have been published recently as we work to either remove or better explain our guidance relating to wildcards.

Client Computer | Logged on user

*.onmicrosoft.com

*.office.com

*.office.net

*.live.com

No

No4

N/A

TCP 80 & 443

*.msedge.net

No

*.microsoft.com

*.msocdn.com

Various

7

Optional: Shared help and support

Client Computer | Logged on user

support.office.com

products.office.com

technet.microsoft.com

amp.azure.net

assets.onestore.ms

auth.gfx.ms

browser.pip.aria.microsoft.com

c.microsoft.com

c1.microsoft.com

connect.facebook.net

dgps.support.microsoft.com

mem.gfx.ms

platform.linkedin.com

support.content.office.net

video.osi.office.net

videocontent.osi.office.net

videoplayercdn.osi.office.net

Various

No

N/A

TCP 80 & 443

8

Optional: Deprecated FQDNs

Client Computer | Logged on user

*.glbdns.microsoft.com

No

No

N/A

TCP 80 & 443

9

Optional: Microsoft Azure RemoteApp

Client Computer | Logged on user

dc.services.visualstudio.com

liverdcxstorage.blob.core.windowsazure.com

telemetry.remoteapp.windowsazure.com

vortex.data.microsoft.com

www.remoteapp.windowsazure.com

No

Varies3

N/A

TCP 443

10

Optional: Office 365 Management Pack for Operations Manager

Customer Operations Manager environment | Machine1 Account

office365servicehealthcommunications.cloudapp.net

No

Varies3

N/A

TCP 443

11

Optional: Import Service for PST and file ingestion

Refer to the Import Service for additional requirements.

12

Optional: Cloud App Security

Client Computer | Logged on user

*.portal.cloudappsecurity.com

No

No

104.42.231.28 104.209.35.177 13.91.98.185

TCP 443

13

Optional: Security and Compliance export

Client Computer | Logged on user

protection.office.com

*.blob.core.windows.net

office365zoom.cloudapp.net

equivioprod*.cloudapp.net

zoom-cs-prod*.cloudapp.net

equivio.office.com

compliance.outlook.com

No

Varies3

N/A

TCP 443

14

Optional: Office 365 Management APIs

Client Computer | Logged on user

manage.office.com

No

No

N/A

TCP 443

15

Optional: Graph API (Graph.windows.net and Graph.Microsoft.com

Client Computer | Logged on user

Graph.microsoft.com

Graph.windows.net

No

No

N/A

TCP 443

16

Optional: Discovery Service API

Client Computer | Logged on user

api.office.com

No

No

N/A

TCP 443

17

Optional: 3rd party office integration.

Client Computer | Logged on user

firstpartyapps.oaspapps.com

prod.firstpartyapps.oaspapps.com.akadns.net

telemetryservice.firstpartyapps.oaspapps.com

wus-firstpartyapps.oaspapps.com

Varies

No

N/A

TCP 443

1Keep in mind that Machine accounts won’t work with proxies that require outbound authentication.

3 See additional information about supported services over Azure ExpressRoute and the Public peering path.

4 There are specific sub-FQDNs within this domain that are available on ExpressRoute, learn more by reading the section, Deciding which applications and features route over ExpressRoute.

Note: ExpressRoute for Office 365 currently does not support IPv6. Customers not using ExpressRoute will want to ensure both IP lists below are reachable over the internet.

Office 365 portal and shared IPv4 endpoints routable through the Internet and ExpressRoute

Office 365 portal and shared IPv4 endpoints routable through the Internet only

Office 365 portal and shared IPv6 endpoints routable through the Internet only

Office 365 Certificate Revocation List (Root URLs)

13.93.164.45/32
104.42.230.91/32
13.71.145.114/32
13.78.120.70/32
13.78.120.69/32
13.78.120.99/32
13.84.222.249/32
13.92.181.66/32
13.107.6.156/31
13.107.7.190/31
13.107.9.156/31
23.96.251.50/32
23.96.253.65/32
23.97.66.55/32
23.97.78.94/32
40.83.185.155/32
40.83.185.230/32
40.84.145.72/32
40.117.100.187/32
40.117.229.133/32
40.117.229.194/32
52.178.146.67/32
52.187.78.144/32
65.52.240.200/32
65.55.239.168/32
94.245.117.53/32
104.40.178.127/32
104.42.225.143/32
104.47.156.62/32
104.214.144.62/32
104.214.144.252/32
104.214.145.173/32
111.221.104.43/32
137.116.156.3/32
138.91.61.107/32
157.55.145.0/25
157.55.155.0/25
157.55.227.192/26
168.62.104.83/32
168.63.92.133/32
191.238.160.173/32
207.46.73.250/32
207.46.141.38/32
207.46.216.54/32
213.199.128.119/32
13.76.218.117/32
13.76.219.191/32
13.76.219.210/32
13.91.98.185/32
23.96.240.104/32
23.97.61.137/32
23.97.150.21/32
23.97.152.190/32
23.97.209.97/32
23.99.109.44/32
23.99.109.64/32
23.99.116.116/32
23.99.121.207/32
23.100.86.91/32
23.101.14.229/32
23.101.30.126/32
23.102.4.253/32
23.102.155.140/32
40.76.1.176/32
40.76.8.142/32
40.76.12.4/32
40.76.12.162/32
40.83.189.49/32
40.113.8.255/32
40.113.10.78/32
40.113.11.93/32
40.113.14.159/32
40.117.144.240/32
40.117.151.29/32
40.121.144.182/32
40.122.168.103/32
65.52.26.28/32
65.52.148.27/32
65.52.160.218/32
65.52.184.75/32
65.52.196.64/32
65.52.219.207/32
70.37.97.234/32
94.245.108.85/32
104.41.207.73/32
104.42.231.28/32
104.43.140.223/32
104.45.11.195/32
104.45.214.112/32
104.46.1.211/32
104.46.38.64/32
104.46.50.125/32
104.209.35.177/32
104.209.190.8/32
104.210.4.77/32
104.210.40.87/32
104.210.212.243/32
104.214.35.244/32
104.215.146.200/32
104.215.198.144/32
111.221.111.196/32
137.116.66.126/32
137.116.81.187/32
157.55.177.39/32
157.55.184.223/32
157.55.80.94/32
168.61.146.25/32
168.61.149.17/32
168.61.170.80/32
168.61.172.71/32
168.62.204.209/32
168.62.29.225/32
168.62.43.8/32
168.63.18.79/32
168.63.29.74/32
168.63.100.61/32
168.63.138.56/32
168.63.172.54/32
168.63.213.238/32
191.236.88.160/32
191.236.155.80/32
191.237.218.239/32
191.238.177.236/32
207.46.134.255/32
207.46.153.155/32
2603:1020:200::682f:a1d8
2603:1020:201::3c4
2603:1030:603::6a
2603:1030:603::72
2603:1030:a02::118
2603:1040:200::111
 2603:1040:400::5d
2603:1040:400::5e
2603:1040:400::7b
2603:1040:601::1e7
2801:80:1d0:1c00::/64
2a01:111:2003::/48
2a01:111:200a:a::/64
2a01:111:202c::/48
2a01:111:202e::/48
2a01:111:202e::190
2a01:111:202e::191
2a01:111:202e::156
2a01:111:202d::/48
2a01:111:2035:8::/64
2a01:111:f100:1002::4134:c440
2a01:111:f100:1002::4134:d9ee 
2a01:111:f100:1004::4134:f0c8
2a01:111:f100:2002::8975:2c33
2a01:111:f100:2002::8975:2d11
2a01:111:f100:2002::8975:2d98
2a01:111:f100:3002::8987:320c
2a01:111:f100:3002::8987:3552
2a01:111:f100:4001::4625:61ea
2a01:111:f100:4001::4625:a1e3
2a01:111:f100:4001::4625:a248
2a01:111:f100:6000::4134:b84b
2a01:111:f100:7000::6fdd:682b
2a01:111:f100:7000::6fdd:6b20
2a01:111:f100:7000::6fdd:6b76
2a01:111:f100:7000::6fdd:6fc4
2a01:111:f100:8000::4134:941b
2a01:111:f100:8001::d5c7:8077
2a01:111:f102:8001::1761:4237
2a01:111:f102:8001::1761:4daf
2a01:111:f100:a000::5ef5:6c55
2a01:111:f100:a001::a83f:5c85
2a01:111:f100:a004::bfeb:8c89
2a01:111:f100:a004::bfeb:8deb
2a01:111:f406:1::/64
2a01:111:f406:1000::/64
2a01:111:f406:1004::/64
2a01:111:f406:1801::/64
2a01:111:f406:1805::/64
2a01:111:f406:3404::/64
2A01:111:F406:8000::/64
2a01:111:f406:8801::/64
2a01:111:f406:a003::/64
2a01:111:f406:c00::/64
crl.microsoft.com 
evsecure-ocsp.verisign.com
evsecure-aia.verisign.com
evsecure-crl.verisign.com
ocsp.msocsp.com
sa.symcb.com
sd.symcb.com
*.omniroot.com
*.verisign.com
*.symcb.com
*.symcd.com
*.verisign.net
*.geotrust.com
*.entrust.net
*.public-trust.com

The endpoints listed in this section are required if you're using Azure Rights Management.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

4

Required: Azure Rights Management (RMS)

Client Computer | Logged on user

*.aadrm.com

*.azurerms.com

ecn.dev.virtualearth.net

No

No

N/A

TCP 443

*.cloudapp.net1

No

Varies2

N/A

TCP 443

8

Optional: Rights Management connector

On-premises server

*.aadrm.com

No

No

N/A

TCP 443

1Azure Rights Management Office 2010 Clients Only.

2 See additional information about supported services over Azure ExpressRoute and the Public peering path.

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Office 365 Video | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office Clients | Office Online | Yammer | Sway | Planner)

Office 365 authentication and identity

To use any Office 365 services, you must be able to connect to the endpoints marked required below. If your organization uses Azure AD Connect AAD Connect, AD FS, or Multi-factor authentication, you'll find the associated endpoints below. All IP addresses entered directly in the Destination IP column are also listed in the IP tables and XML file for your convenience.

If you’re using Active Directory Federation Services (AD FS) with your deployment, you can also use AD FS client access policies with Windows Server 2012 R2 or client access policies with AD FS 2.0 to further restrict and control access to Office 365.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Certificate revocation lists

See the well known certificate root CRLs.

2

Required: Authentication and identity

Client Computer | Logged on user

api.login.microsoftonline.com

clientconfig.microsoftonline-p.net

device.login.microsoftonline.com

hip.microsoftonline-p.net

hipservice.microsoftonline.com

login.microsoft.com

login.microsoftonline.com

logincert.microsoftonline.com

loginex.microsoftonline.com

login-us.microsoftonline.com

login.microsoftonline-p.com

nexus.microsoftonline-p.com

stamp2.login.microsoftonline.com

login.windows.net

No

Yes

Authentication and Identity IP ranges

TCP 80 & 443

accesscontrol.windows.net

secure.aadcdn.microsoftonline-p.com

No

No

N/A

TCP 443

3

Optional: Legacy/temporary FQDNs

Client Computer | Logged on user

*.msecnd.net

*.microsoft.com

*.microsoftonline-p.com

*.microsoftonline-p.net

Akamai and Microsoft

No

N/A

TCP 443

*.windows.net

No5

*.microsoftonline.com

Varies

Yes4

N/A

TCP 443

4

Optional: Multi-factor authentication (MFA)

Client Computer | Logged on user

account.activedirectory.windowsazure.com

secure.aadcdn.microsoftonline-p.com3

No

No

Microsoft Azure Active Directory (MFA) IP and FQDNs

TCP 443

5

Optional: DirSync (legacy)

DirSync Server | Machine1 and Service Account

*.microsoftonline.com

login.windows.net

provisioningapi.microsoftonline.com

adminwebservice.microsoftonline.com

No

Yes

Authentication and Identity IP ranges

TCP 443

mscrl.microsoft.com

No

No

N/A

TCP 80 & 443

6

Optional: Azure AD Connect (recommended)

Azure AD Connect Server | Service Account

*.microsoftonline.com

login.windows.net

provisioningapi.microsoftonline.com

adminwebservice.microsoftonline.com

No

Yes

Authentication and Identity IP ranges

TCP 443

mscrl.microsoft.com

secure.aadcdn.microsoftonline-p.com3

No

No

N/A

TCP 80 & 443

Public DNS

No

No

N/A

TCP 53

7

Optional: Azure AD Connect (w/SSO option) – WinRM & remote powershell

Client Computer | Service Account

Customer STS environment (AD FS Server and AD FS Proxy) | Ports TCP 80 & 443

No

No

Customer environment

TCP 80 & 443

8

Optional: STS such as AD FS Proxy server(s) (for federated customers only)

Client Computer | N/A

Customer STS (such as AD FS Proxy) | Ports TCP 443 or TCP 49443 w/ClientTLS

No

No

Customer environment

TCP 443 or TCP 49443 w/ClientTLS

9

Optional: AD FS Proxy server(s) (for federated customers only)

Customer AD FS Proxy (WAP) | N/A

Customer AD FS Server (FS) | Port TCP 443

No

No

Customer environment

TCP 443

10

Optional: Azure AD Connect Health

Azure AD Connect Health Server | Service Account

management.azure.com

*.blob.core.windows.net

*.queue.core.windows.net

*.servicebus.windows.net - Port: 5671 (If 5671 is blocked, agent falls back to 443, but using 5671 is recommended.)

*.adhybridhealth.azure.com

*.table.core.windows.net

policykeyservice.dc.ad.msft.net

secure.aadcdn.microsoftonline-p.com

Microsoft

Varies2

N/A

TCP 443

login.windows.net

login.microsoftonline.com

No

Yes

Authentication and Identity IP ranges

TCP 443

11

Optional: Office 365 Management Pack for Operations Manager

Customer Operations Manager environment | Machine1 Account

office365servicehealthcommunications.cloudapp.net

No

Varies2

N/A

TCP 443

1Keep in mind that Machine accounts won’t work with proxies that require outbound authentication.

2 See additional information about supported services over Azure ExpressRoute and the Public peering path.

3 This FQDN needs to be in your client's IE Trusted Sites Zone to function.

4 There are specific sub-FQDNs within this domain that are not available on ExpressRoute, learn more by reading the section, Deciding which applications and features route over ExpressRoute.

5 There are specific sub-FQDNs within this domain that are available on ExpressRoute, learn more by reading the section, Deciding which applications and features route over ExpressRoute.

Note: ExpressRoute for Office 365 currently does not support IPv6

Office 365 authentication and identity IPv4 endpoints routable through the Internet and ExpressRoute

Office 365 authentication and identity IPv6 endpoints routable through the Internet only

13.67.50.224/29
13.75.48.16/29
13.75.80.16/29
13.106.56.0/25
23.100.16.168/29
23.100.32.136/29
23.100.64.24/29
23.100.72.32/29
23.100.80.64/29
23.100.88.32/29
23.100.101.112/28
23.100.104.16/28
23.100.112.64/29
23.100.120.64/29
23.101.5.104/29
23.101.144.136/29
23.101.165.168/29
23.101.181.128/29
23.101.210.24/29
23.101.222.240/28
23.101.224.16/29
23.101.226.16/28
40.112.64.16/28
40.113.192.16/29
40.114.120.16/29
40.115.152.16/28
40.127.67.24/29
52.125.0.0/17
52.172.144.16/28
65.52.1.16/29
65.52.193.136/29
65.54.170.128/25
70.37.128.0/23
104.40.240.48/28
104.41.13.120/29
104.41.216.16/28
104.42.72.16/29
104.43.208.16/29
104.43.240.16/29
104.44.218.128/25
104.44.254.128/25
104.44.255.0/25
104.45.0.16/28
104.45.208.104/29
104.46.112.8/29
104.46.224.64/28
104.209.144.16/29
104.210.48.8/29
104.210.83.160/29
104.210.208.16/29
104.211.16.16/29
104.211.48.16/29
104.211.88.16/28
104.211.98.138/32
104.211.98.146/32
104.211.98.246/32
104.211.99.236/32
104.211.100.160/32
104.211.100.204/32
104.211.102.225/32
104.211.152.32/27
104.211.161.150/32
104.211.161.165/32
104.211.161.185/32
104.211.162.33/32
104.211.165.35/32
104.211.166.139/32
104.211.216.32/27
104.211.224.118/32
104.211.225.135/32
104.211.227.110/32
104.211.231.147/32
104.211.231.248/32
104.215.96.24/29
104.215.144.64/29
104.215.184.16/29
131.253.120.128/32
134.170.67.0/25
134.170.172.128/25
157.55.45.128/25
157.55.59.128/25
157.55.130.0/25
157.56.53.128/25
157.56.55.0/25
157.56.58.0/25
157.56.151.0/25
191.232.2.128/25
191.237.248.32/29
191.237.252.192/28
2603:1020:201::4a0
2603:1020:201::4a1
2603:1020:201::4a2
2603:1020:201::4a3
2603:1020:201::4a4
2603:1020:201::4a5
2603:1020:201::4a6
2603:1020:201::4a7
2603:1020:201::4aa
2603:1020:201::581
2603:1020:201::583
2603:1020:201::584
2603:1020:201::586
2603:1020:201::588
2603:1020:201::589
2603:1020:201::58a
2603:1020:201::58b
2603:1020:201::58c
2603:1020:201:2::/64
2603:1020:201:3::/64
2603:1030:7::2c
2603:1030:7::2d
2603:1030:7::2f
2603:1030:7::30
2603:1030:7::34
2603:1030:7::3f
2603:1030:7::40
2603:1030:7::41
2a01:111:2005:6::/64
2a01:111:f100:1002::4134:d89f
2a01:111:f100:1002::4134:d944
2a01:111:f100:1002::4134:d95f
2a01:111:f100:1002::4134:da55
2a01:111:f100:1002::4134:da5c
2a01:111:f100:1002::4134:da81
2a01:111:f100:1002::4134:dab5
2a01:111:f100:1002::4134:daee
2a01:111:f100:1002::4134:db2a
2a01:111:f100:1002::4134:db60
2a01:111:f100:1002::4134:db89
2a01:111:f100:1002::4134:dbe7
2a01:111:f100:1002::4134:dc2d
2a01:111:f100:1002::4134:dc2e
2a01:111:f100:1002::4134:dc43
2a01:111:f100:1002::4134:dc6e
2a01:111:f100:1002::4134:dd7a
2a01:111:f100:1002::4134:ddcb
2a01:111:f100:2002::8975:2c3b
2a01:111:f100:2002::8975:2c3f
2a01:111:f100:2002::8975:2c6d
2a01:111:f100:2002::8975:2cdd
2a01:111:f100:2002::8975:2cea
2a01:111:f100:2002::8975:2ced
2a01:111:f100:2002::8975:2d08
2a01:111:f100:2002::8975:2d19
2a01:111:f100:2002::8975:2d25
2a01:111:f100:2002::8975:2d4d
2a01:111:f100:2002::8975:2d6a
2a01:111:f100:2002::8975:2d97
2a01:111:f100:2002::8975:2daa
2a01:111:f100:2002::8975:2dc7
2a01:111:f100:3002::8987:30a0
2a01:111:f100:3002::8987:3103
2a01:111:f100:3002::8987:3278
2a01:111:f100:3002::8987:328f
2a01:111:f100:3002::8987:3299
2a01:111:f100:3002::8987:3344
2a01:111:f100:3002::8987:3396
2a01:111:f100:3002::8987:3398
2a01:111:f100:3002::8987:33b3
2a01:111:f100:3002::8987:33ec
2a01:111:f100:3002::8987:34eb
2a01:111:f100:3002::8987:34f8
2a01:111:f100:3002::8987:353b
2a01:111:f100:3002::8987:35b5
2a01:111:f100:4001::4625:a3ee
2a01:111:f100:4001::4625:a4b6
2a01:111:f100:4001::4625:a4ba
2a01:111:f100:4001::4625:a4c7
2a01:111:f100:4001::4625:a4cf
2a01:111:f100:4001::4625:a4ee
2a01:111:f100:4001::4625:a56f
2a01:111:f100:4001::4625:a589
2a01:111:f100:7000::6fdd:6a44
2a01:111:f100:7000::6fdd:6b96
2a01:111:f100:7000::6fdd:6bb6
2a01:111:f100:7000::6fdd:6c82
2a01:111:f100:7000::6fdd:6d1c
2a01:111:f100:7000::6fdd:6d23
2a01:111:f100:7000::6fdd:6d50
2a01:111:f100:7000::6fdd:6d88
2a01:111:f100:a004::bfeb:8a92
2a01:111:f100:a004::bfeb:8ab0
2a01:111:f100:a004::bfeb:8b12
2a01:111:f100:a004::bfeb:8b15
2a01:111:f100:a004::bfeb:8b3c
2a01:111:f100:a004::bfeb:8b47
2a01:111:f100:a004::bfeb:8b6c
2a01:111:f100:a004::bfeb:8beb
2a01:111:f100:a004::bfeb:8c55
2a01:111:f100:a004::bfeb:8c6d
2a01:111:f100:a004::bfeb:8c6f
2a01:111:f100:a004::bfeb:8c88
2a01:111:f100:a004::bfeb:8cc0
2a01:111:f100:a004::bfeb:8cdc
2a01:111:f100:a004::bfeb:8d83
2a01:111:f100:a004::bfeb:8d96
2a01:111:f100:a004::bfeb:8daa
2a01:111:f102:8001::1761:4929
2a01:111:f102:8001::1761:4948
2a01:111:f102:8001::1761:4b83
2a01:111:f102:8001::1761:4f0d
2a01:111:f102:8001::1761:4f32
2a01:111:f102:8001::1761:4f64
2a01:111:f102:8001::1761:4f8d
2a01:111:f102:8001::1761:4fc0
2a01:111:f400::/48

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Office 365 Video | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office Clients | Office Online | Yammer | Sway | Planner)

Exchange Online

To use Exchange Online, including mail retrieval, OWA, Unified Messaging, and so on, you must be able to connect to the endpoints marked required below. If your organization uses Exchange Hybrid, Delve, or is migrating email to Office 365, you'll find the associated endpoints below. All IP addresses entered directly in the Destination IP column are also listed in the IP tables and XML file for your convenience.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

2

Required: Authentication and identity

See Office 365 authentication and identity

3

Required: Exchange Online Protection SMTP services

See Exchange Online Protection (EOP)

4

Required: Client SMTP Relay

Client Computer | Logged on user

smtp.office365.com

No

Yes

Exchange Online IP ranges.

TCP 587

5

Required: Exchange Online (including OWA, Outlook, and so on).

Client Computer | Logged on user

outlook.office365.com

*.outlook.office.com

autodiscover-*.outlook.com

No

Yes

Exchange Online IP ranges.

TCP 80 & 443

6

Required: Exchange Online (including OWA, Outlook, Autodiscover, and so on).

Client Computer | Logged on user

*.outlook.com

No

No4

Exchange Online IP ranges.

TCP 80 & 443

7

Required: Exchange Online (including OWA, Outlook, and so on).

Client Computer | Logged on user

xsi.outlook.com

r1.res.office365.com

r3.res.office365.com

r4.res.office365.com

Akamai

No

N/A

TCP 80 & 443

8

Optional: Exchange Online Unified Messaging/SBC integration.

On-premises Session Border Controller

*.um.outlook.com

No

No

65.55.94.0/25    
207.46.198.0/25  
213.199.177.0/26   
157.55.9.128/25  
111.221.66.0/25  
207.46.58.128/25

Any-TCP/UDP

(Bidirectional for inbound, calls , MWI)

9

Optional: Exchange Hybrid Only

Existing Exchange Client Access Servers and Mailbox Servers | Machine account1

outlook.office365.com

*.outlook.office.com

No

Yes

Exchange Online IP ranges.

TCP 80 & 443

10

Optional: Exchange Hybrid Co-existence

Exchange Online IP ranges | N/A

Customer on-premise Exchange

No

Yes

Customer IP

TCP 443

11

Optional: Exchange Hybrid Proxy Authentication

Exchange Online IP ranges | N/A

Customer on-premise STS

No

Yes

Customer IP

TCP 443 (+ TCP 49443 for cert based authentication)

12

Optional: Used to configure Exchange Hybrid, using the Exchange Hybrid Configuration Wizard.

Note: These endpoints are only required to configure Exchange hybrid. Rows 8-10 describe the ongoing traffic.

Existing Exchange service | N/A

hybridconfiguration.azurewebsites.net

*.hybridconfiguration.azurewebsites.net

*.store.core.windows.net

mshrcstorageprod.blob.core.windows.net

No

Varies3

65.55.39.128/25
65.55.181.128/25
207.46.150.128/25
207.46.164.0/24
207.46.203.128/26

TCP 80 & 443

domains.live.com2

No

Yes

65.55.79.128/25

TCP 80 & 443

13

Optional: Exchange Online IMAP4 migration

IMAP4 Service | N/A

outlook.office365.com

*.outlook.office.com

No

Yes

Exchange Online IP ranges.

TCP 143/993

14

Optional: Exchange Online POP3 migration

POP3 Service | N/A

outlook.office365.com

*.outlook.office.com

No

Yes

Exchange Online IP ranges.

TCP 995

15

Optional: All other Exchange Online migration tools

Existing Exchange service (EWS or MRS) | N/A

outlook.office365.com

*.outlook.office.com

No

Yes

Exchange Online IP ranges.

TCP 80 & 443

16

Optional: Required for Delve

Client Computer | Logged on user

delve.office.com

No

Yes

Exchange Online IP ranges.

TCP 80 & 443

17

Optional: Required for Delve

Client Computer | Logged on user

r3.res.outlook.com

Akamai

No

N/A

TCP 80 & 443

1Keep in mind that Machine accounts won’t work with proxies that require outbound authentication.

2 Only required for Exchange 2010 SP3 Hybrid Configuration Wizard.

3 See additional information about supported services over Azure ExpressRoute and the Public peering path.

4 There are specific sub-FQDNs within this domain that are available on ExpressRoute, learn more by reading the section, Deciding which applications and features route over ExpressRoute.

Note: ExpressRoute for Office 365 currently does not support IPv6

Exchange Online IPv4 endpoints routable through the Internet and ExpressRoute

Exchange Online IPv6 endpoints routable through the Internet only

13.107.6.152/31
13.107.9.152/31
13.107.18.10/31
13.107.19.10/31
23.103.160.0/20
23.103.224.0/19
40.96.0.0/13
40.104.0.0/15
70.37.151.128/25
111.221.112.0/21
131.253.33.215/32
132.245.0.0/16
132.245.1.128/25
132.245.2.0/23
132.245.4.0/22
132.245.8.0/21
132.245.16.0/20
132.245.32.0/19
132.245.64.0/19
132.245.96.0/20
132.245.113.128/25
132.245.114.0/23
132.245.116.0/22
132.245.120.0/21
132.245.129.128/25
132.245.130.0/23
132.245.132.0/22
132.245.136.0/21
132.245.144.0/20
132.245.160.0/19
132.245.192.0/18
134.170.68.0/23
157.56.96.16/28
157.56.96.224/28
157.56.106.128/28
157.56.232.0/21
157.56.240.0/20
191.232.96.0/19
191.234.6.152/32
191.234.140.0/22
191.234.224.0/22
204.79.197.215/32
206.191.224.0/19
207.46.150.128/25
207.46.203.128/26
2603:1006::/40
2603:1016::/40
2603:1020:0800::/40
2603:1026::/40
2603:1026:0200::/39
2603:1026:0400::/39
2603:1026:0600::/40
2603:1026:0800::/40
2603:1036::/39
2603:1036:0200::/40
2603:1036:0400::/40
2603:1036:0600::/40
2603:1036:0800::/38
2603:1036:0c00::/40
2603:1046::/37
2603:1046:0900::/40
2603:1056::/40
2603:1056:0400::/40
2603:1056:0600::/40
2603:1096::/38
2603:1096:0400::/40
2603:1096:0600::/40
2603:1096:0c00::/40
2603:1096:a00::/39
2603:10a6:0200::/40
2603:10a6:0400::/40
2603:10a6:0600::/40
2603:10a6:0800::/40
2603:10d6:0200::/40
2620:1ec:4::152
2620:1ec:4::153
2620:1ec:a92::152
2620:1ec:a92::153
2620:1ec:c::10
2620:1ec:c::11
2620:1ec:d::10
2620:1ec:d::11
2a01:111:f400::/48

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Office 365 Video | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office Clients | Office Online | Yammer | Sway | Planner)

Exchange Online Protection (EOP)

To use Exchange Online Protection as a stand alone service or as the SMTP engine with Exchange Online, you must be able to connect to the endpoints marked required below. Note the EOP SMTP IP addresses are linked to in row 2, 3, & 4 instead of being listed directly on this page.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: EOP

Client Computer | Logged on user

*.protection.outlook.com

No

Yes

See Exchange Online Protection IP Addresses

TCP 53 & 443

3

Required: Send SMTP email

Existing email environment | N/A

<customer domain-key>.mail.protection.outlook.com

No

Yes

See Exchange Online Protection IP Addresses

TCP 25

4

Required: Receive SMTP email

See Exchange Online Protection IP Addresses | N/A

Existing email environment

No

Yes

See Exchange Online Protection IP Addresses

TCP 25

Note: The wildcard in the second row of the EOP table represents a long list of nodes that are exclusively used for Exchange Online Protection. No other commercial or consumer services use this namespace.

Skype for Business Online

To use Skype for Business Online, you must be able to connect to the endpoints described below. To enable authentication, the endpoints listed in the Office 365 authentication and identity section must be reachable. Similarly, for shared infrastructure and portal services, the endpoints in the portal and shared section are must be reachable. These are rows One and Two respectively. Once the required endpoints in these tables are reachable, ensure the endpoints in the Skype for Business Online table below are reachable. To see the IP addresses, expand the IP address section below the table describing the traffic flow.

Row

Purpose

Source | Credentials

Source Port

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Portal and shared

See Office 365 portal and shared

3

Required: SIP signaling

Client Computer | Logged on user

Ephemeral ports

*.lync.com

No

Yes

Skype for Business IP ranges.

TCP 443

4

Required: Persistent Shared Object Model (PSOM) connections web conferencing

Client Computer | Logged on user

Ephemeral ports

*.lync.com

No

Yes

Skype for Business IP ranges.

TCP 443

5

Required: HTTPS downloads

Client Computer | Logged on user

Ephemeral ports

*.lync.com

No

Yes

Skype for Business IP ranges.

TCP 443

6

Required: Audio

Client Computer | Logged on user

TCP/UDP 50,000-50019

*.lync.com

No

Yes

Skype for Business IP ranges.

TCP 443, UDP 3478, 3479, 3480, & 3481, TCP/UDP 50,000-59,999

7

Required: Video

Client Computer | Logged on user

TCP/UDP 50,020-50039

*.lync.com

No

Yes

Skype for Business IP ranges.

TCP 443, UDP 3478, 3479, 3480, & 3481, TCP/UDP 50,000-59,999

8

Required: Desktop sharing

Client Computer | Logged on user

TCP/UDP 50,040-50059

*.lync.com

No

Yes

Skype for Business IP ranges.

TCP 443, UDP 3478, 3479, 3480, & 3481, TCP/UDP 50,000-59,999

9

Required: Lync Mobile push notifications for Lync Mobile 2010 on iOS devices. You don't need this for Android, Nokia Symbian or Windows Phone mobile devices.

Client Computer | Logged on user

Ephemeral ports

*.lync.com

No

Yes

Skype for Business IP ranges.

TCP 5223

10

Required: Skype Telemetry

Client Computer | Logged on user

Ephemeral ports

skypemaprdsitus.trafficmanager.net

pipe.skype.com

No

No

N/A.

TCP 443

11

Required: Skype client quicktips

Client Computer | Logged on user

Ephemeral ports

quicktips.skypeforbusiness.com

No

No

N/A.

TCP 443

12

Required: Skype for Business chat in OWA

Client Computer | Logged on user

Ephemeral ports

swx.cdn.skype.com

No

No

N/A.

TCP 443

13

Required: Skype for Business client configurations

Client Computer | Logged on user

Ephemeral ports

a.config.skype.com

b.config.skype.com

config.edge.skype.com

No

Yes

13.107.3.128

13.107.3.129

23.99.213.58

23.101.115.193

23.101.116.26

23.101.156.198

23.101.158.111

23.102.17.214

23.102.24.114

40.68.229.156

40.68.230.133

40.78.145.194

104.40.75.8

104.40.76.196

191.233.80.151

191.233.95.169

191.234.19.21

191.234.20.241

191.234.21.145

191.234.23.27

TCP 443

14

Optional: Federation with Skype and public IM connectivity: Contact picture retrieval

Client Computer | Logged on user

Ephemeral ports

*.api.skype.com

*.users.storage.live.com

No

No

N/A.

TCP 443

15

Optional: Federation with Skype and public IM connectivity: Skype Search

Client Computer | Logged on user

Ephemeral ports

graph.skype.com

No

No

N/A.

TCP 443

To use Skype Meeting Broadcast, the following endpoints need to be accessible to client computers.

Row

Purpose

Source |Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: For all Skype functionality, the entries are labeled "required".

See Skype for Business Online.

2

Required: Skype Meeting Broadcast presenter

Client computer / logged on user

aka.ms

None

No

N/A

TCP 80 & 443

*.microsoftonline.com

None

Yes

Authentication and Identity IP ranges

TCP 443

3

Required: Skype Meeting Broadcast presenter and attendee

Client computer / logged on user

broadcast.skype.com

*.broadcast.skype.com1

*.infra.lync.com1

browser.pipe.aria.microsoft.com

mlccdn.blob.core.windows.net

None

No

N/A

TCP 443

ajax.aspnetcdn.com

*.msecnd.net2

Verizon

No

N/A

TCP 443

4

Required: Skype Meeting Broadcast attendee

Client computer / logged on user

amp.azure.net

pipe.skype.com

None

No

N/A

TCP 443

*.streaming.mediaservices.windows.net3

*.keydelivery.mediaservices.windows.net3

Azure Media Services

Yes (Azure Public peering)

N/A

TCP 443

1 The wildcard for lync.com and broadcast.skype.com represents a long list of nodes that are exclusively used for Office 365.

2 The wildcard for msecnd.net represents a dynamically generated endpoint within the CDN that join page libraries are pulled from.

3 The wildcard for streaming.mediaservices.windows.net represents a list of media services endpoints where video content is pulled from.

Note: The wildcard for lync.com and broadcast.skype.com represents a long list of nodes that are exclusively used for Office 365.

Note: ExpressRoute for Office 365 currently does not support IPv6

Skype for Business Online IPv4 endpoints routable through the Internet and ExpressRoute

Skype for Business Online IPv6 endpoints routable through the Internet only

13.67.186.105/32
13.67.214.76/32
13.67.222.144/32
13.67.234.27/32
13.75.42.168/32
13.88.183.247/32
13.88.241.210/32
13.89.44.84/32
13.91.40.251/32
13.91.108.91/32
13.92.80.132/32
13.92.136.118/32
13.93.209.18/32
13.94.47.37/32
13.95.233.176/32
13.95.236.192/32
13.107.3.0/24
13.107.3.128/32
13.107.3.129/32
13.107.8.0/24
13.107.8.0/24
13.107.64.0/18
13.107.66.0/24
23.97.72.141/32
23.97.164.28/32
23.99.101.49/32
23.99.115.104/32
23.99.121.255/32
23.99.122.87/32
23.99.124.9/32
23.99.213.58/32
23.101.115.193/32
23.101.116.26/32
23.101.156.198/32
23.101.158.111/32
23.102.17.214/32
23.102.24.114/32
23.103.128.0/23
23.103.130.0/24
23.103.176.128/26
23.103.176.192/27
23.103.178.128/26
23.103.178.192/27
40.68.229.156/32
40.68.230.133/32
40.76.24.32/32
40.76.24.177/32
40.77.16.36/32
40.78.68.158/32
40.78.71.48/32
40.78.145.194/32
40.79.38.101/32
40.79.74.185/32
40.83.176.46/32
40.83.177.162/32
40.86.90.132/32
40.112.188.2/32
40.113.16.205/32
40.114.244.22/32
40.118.251.206/32
52.112.0.0/14
52.163.224.242/32
52.163.231.126/32
52.164.255.104/32
52.165.35.53/32
52.169.30.95/32
52.169.105.194/32
52.169.106.115/32
52.174.166.73/32
52.174.166.107/32
52.174.166.156/32
52.175.38.240/32
52.178.34.159/32
52.178.36.12/32
52.178.36.169/32
52.178.38.115/32
52.178.145.227/32
52.178.148.1/32
52.178.148.152/32
52.178.158.225/32
52.232.129.71/32
52.232.132.60/32
52.232.135.81/32
52.233.29.169/32
52.233.30.121/32
65.55.127.0/24
66.119.157.192/26
66.119.158.0/25
104.40.75.8/32
104.40.76.196/32
104.41.207.112/32
104.41.210.140/32
104.42.229.230/32
104.43.12.164/32
104.44.195.0/24
104.44.195.0/24
104.44.200.0/23
104.44.200.0/24
104.44.201.0/24
104.46.96.162/32
104.46.97.194/32
104.46.101.116/32
104.46.105.95/32
104.208.152.137/32
104.210.1.218/32
111.221.76.128/25
111.221.77.0/26
111.221.101.75/32
111.221.122.192/26
131.253.128.0/19
131.253.160.0/20
132.245.0.0/24
132.245.1.0/25
132.245.112.0/24
132.245.113.0/25
132.245.128.0/24
132.245.129.0/25
134.170.0.0/25
134.170.54.0/26
134.170.54.128/25
134.170.113.192/26
134.170.115.128/25
137.116.132.4/32
137.116.157.126/32
137.116.159.19/32
137.116.159.228/32
157.55.40.128/25
157.55.46.64/26
157.55.232.128/26
157.55.238.0/25
157.56.135.64/26
157.56.185.0/26
168.63.14.15/32
168.63.219.57/32
191.233.80.151/32
191.233.95.169/32
191.234.19.21/32
191.234.20.241/32
191.234.21.145/32
191.234.23.27/32
207.46.5.0/24
207.46.156.136/32
207.46.230.50/32
2603:1027::/48
2603:1037::/48
2603:1047::/48
2603:1057::/48
2620:01ec:0042::/48
2620:1ec:40::/42
2620:1ec:6::/48
2a01:111:2047:2::/64
2a01:111:2047:1::/64
2a01:111:2048:2::/64
2a01:111:2048:1::/64
2a01:111:f406:3406::/64
2a01:111:f406:3405::/64
2a01:111:200f:11::/64
2a01:111:200f:10::/64
2a01:111:2007:3::/64
2a01:111:2007:4::/64
2a01:111:200f:6::/64
2a01:111:200f:7::/64 
2a01:111:200f:8::/64
2a01:111:200f:9::/64
2a01:111:2012:2::/64 
2a01:111:2012:3::/64
2a01:111:2012:4::/64
2a01:111:2012:5::/64
2a01:111:2012:6::/64
2a01:111:2012:7::/64
2a01:111:202a:2::/64
2a01:111:202a:3::/64
2a01:111:202b:3::/64
2a01:111:202b:4::/64
2a01:111:202b:9::/64
2a01:111:202b:a::/64
2a01:111:2034:2::/64
2a01:111:2034:3::/64
2a01:111:2035:6::/64
2a01:111:2035:7::/64
2a01:111:2036:2::/64
2a01:111:2036:3::/64
2a01:111:203e:1::/64
2a01:111:203e:2::/64
2a01:111:2040:1::/64
2a01:111:2040:2::/64
2a01:111:2046:4::/64
2a01:111:2046:5::/64
2a01:111:2a:7::/64
2a01:111:2a:8::/64
2a01:111:f402:5802::/64
2a01:111:f402:5803::/64
2a01:111:f402:5805::/64
2a01:111:f404:0c06::/64
2a01:111:f404:0c07::/64
2a01:111:f404:0c09::/64
2a01:111:f404:0c0a::/64
2a01:111:f404:3400::/64
2a01:111:f404:3401::/64
2a01:111:f404:8002::/64
2a01:111:f404:8003::/64
2a01:111:f404:9400::/64
2a01:111:f404:9401::/64
2a01:111:f404:a000::/64
2a01:111:f404:a001::/64
2a01:111:f404:a800::/64
2a01:111:f404:a801::/64
2a01:111:f404:c0b::/64
2a01:111:f404:c0c::/64
2a01:111:f406:2400::/64
2a01:111:f406:2401::/64
2a01:111:f406:402::/64
2a01:111:f406:403::/64

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Office 365 Video | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office Clients | Office Online | Yammer | Sway | Planner)

SharePoint Online and OneDrive for Business

To use SharePoint Online or OneDrive for Business, you must be able to connect to the endpoints marked required below. If your organization uses Exchange Hybrid, Delve, or is migrating email to Office 365, you'll find the associated endpoints below.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

3

Required: Office Online

See Office Online

4

Required: SharePoint Online and associated applications

Client Computer | Logged on user

*.sharepoint.com

<tenant>.sharepoint.com1

<tenant>-my.sharepoint.com1

<tenant>-files.sharepoint.com1

<tenant>-myfiles.sharepoint.com1

*.svc.ms

No

Yes

SharePoint Online IP Ranges.

TCP 80 & 443

5

Required: CDNs for SharePoint Online and associated applications

Client Computer | Logged on user

*.sharepointonline.com

cdn.sharepointonline.com

Static.sharepointonline.com

prod.msocdn.com

spoprod-a.akamaihd.net

publiccdn.sharepointonline.com

privatecdn.sharepointonline.com

Microsoft & Akamai

No

N/A

TCP 80 & 443

6

Required: SharePoint Online inbound mail

SharePoint Online IP Ranges | N/A

Customer environment

No

Yes

Customer environment

TCP 25

7

Required: OneDrive for Business update verification and download

Client Computer | Logged on user

oneclient.sfx.ms

Akamai

No

N/A

TCP 80 & 443

8

Required: OneDrive for Business: Determines consumer v commercial

Client Computer | Logged on user

https://officeclient.microsoft.com/config16

http://odc.officeapps.live.com/odc/emailhrd

No

No

N/A

TCP 80 & 443

9

Required: OneDrive for Business: Oauth login with AAD

Client Computer | Logged on user

login.microsoftonline.com

No

Yes

N/A

TCP 443

10

Required: Client push notification

Client Computer | Logged on user

wns.windows.com

No

No

N/A

TCP 443

11

Optional: OneDrive for Business: supportability and telemetry

Client Computer | Logged on user

ssw.live.com

mobile.pipe.aria.microsoft.com

watson.telemetry.microsoft.com

No

No

N/A

TCP 443

12

Optional: OneDrive for Business: Office integration

Client Computer | Logged on user

nexus.officeapps.live.com

No

No

N/A

TCP 443

13

Optional: APIs to allow users to get help and retrieve logs to diagnose.

Client Computer | Logged on user

storage.live.com/clientLogs

storage.live.com/sendFeedback

No

No

N/A

TCP 443

14

Optional: embedded email links

Client Computer | Logged on user

click.email.microsoftonline.com

No

No

N/A

TCP 443

15

Optional: SharePoint Hybrid Search - Endpoint to SearchContentService where the hybrid crawler feeds documents

The crawler on the on-prem SP authenticates to SCS as the tenant that does the feeding.

*.search.msit.us.trafficmanager.net

*.search.production.us.trafficmanager.net

*.search.production.emea.trafficmanager.net

*.search.production.apac.trafficmanager.net

No

No

N/A

TCP 443

16

Optional: SharePoint Hybrid Search - Endpoint to SearchContentService to successfully authenticate to remote farm with OAuth authentication and authorization. The authorization server in this scenario is Microsoft Azure Access Control Service (ACS).

The Host Controller/Node Runner Account on the on-prem SP server.

accounts.accesscontrol.windows.net

No

No

N/A

TCP 443

17

Optional: SharePoint Hybrid Search - Required for onboarding script to connect to Office 365 Provisioning Web Services. As a part of script execution adds the Office 365 Service Principal ID to the local farm and sets the correct Service Principal Name in Azure AD for the on-premises URL. This ensures that the outbound query federation can occur between the Office 365 tenant and the on-premises farm

Global admin or equivalent credentials on the tenant for which Hybrid Search is being configured

provisioningapi.microsoftonline.com

No

No

N/A

TCP 443

1 This FQDN needs to be in your client's IE Trusted Sites Zone for Explorer View to function.

Note: ExpressRoute for Office 365 currently does not support IPv6. Customers not using ExpressRoute will want to ensure both IP lists below are reachable over the internet.

SharePoint Online IPv4 endpoints routable through the Internet and ExpressRoute

SharePoint Online IPv6 endpoints routable through the Internet only

13.107.6.150/31
13.107.6.168/32
13.107.9.150/31
13.107.9.168/32
40.108.0.0/19
40.108.128.0/17
52.104.0.0/14
104.146.0.0/19
104.146.128.0/17
134.170.200.0/21
134.170.208.0/21
191.232.0.0/23
191.234.128.0/21
191.235.0.0/20
2620:1ec:a92::150
2620:1ec:4::150
2620:1ec:6::129 
2a01:111:f402::/48
2801:80:1d0:1400::/54

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Office 365 Video | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office Clients | Office Online | Yammer | Sway | Planner)

Office 365 Video

To use Office 365 Video, you must be able to connect to the endpoints marked required below.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

3

Required: SharePoint Online endpoints listed above as required

See SharePoint Online

4

Required: Office 365 Video

Client Computer | Logged on user

*.keydelivery.mediaservices.windows.net

*.streaming.mediaservices.windows.net

Azure Media Services

Uses Azure Media Services 1

N/A

TCP 443

5

Required: Office 365 Video

Client Computer | Logged on user

ajax.aspnetcdn.com

Yes

No

N/A

TCP 443

6

Required: Office 365 Video

Client Computer | Logged on user

r3.res.outlook.com

Akamai

No

N/A

TCP 443

7

Required: Office 365 Video

Client Computer | Logged on user

spoprod-a.akamaihd.net

Akamai

No

N/A

TCP 443

1 See additional information about supported services over Azure ExpressRoute and the Public peering path.

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Office 365 Video | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office Clients | Office Online | Yammer | Sway | Planner)

Office Online

To use Office Online, you must be able to connect to the endpoints marked required below.

Row

Purpose

Source |Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

3

Required: Office Online

Client Computer | Logged on user

*broadcast.officeapps.live.com

*excel.officeapps.live.com

*onenote.officeapps.live.com

*powerpoint.officeapps.live.com

*view.officeapps.live.com

*visio.officeapps.live.com

*word-edit.officeapps.live.com

*word-view.officeapps.live.com

No

Yes

Office Online IP Ranges.

TCP 443

4

Required: Content Delivery Network for Office Web Apps

Client Computer | Logged on user

*.cdn.office.net

Akamai

No

N/A

TCP 443

Note: The wildcards under the officeapps.live.com namespace, such as *visio.officeapps.live.com represents a 20+ list of regional nodes that are subject to change as the service expands.

Note: ExpressRoute for Office 365 currently does not support IPv6

Office Web Apps IPv4 endpoints routable through the Internet and ExpressRoute

Office Web Apps IPv6 endpoints routable through the Internet only

13.69.187.20/32
13.70.184.242/32
13.71.155.176/32
13.75.153.216/32
13.76.140.48/32
13.78.114.39/32
13.85.84.102/32
13.88.248.161/32
13.88.254.212/32
13.94.209.165/32
23.103.183.15/32
40.68.166.51/32
40.74.130.243/32
40.74.138.42/32
40.76.54.124/32
40.86.230.88/32
40.114.192.209/32
40.117.226.146/32
40.126.236.216/32
40.127.79.139/32
52.169.109.48/32
52.172.13.171/32
52.172.153.104/32
52.175.25.142/32
52.232.128.169/32
104.40.225.204/32
104.41.62.54/32
104.211.103.207/32
104.211.229.230/32
104.214.38.136/32
104.215.194.17/32
134.170.27.86/32
134.170.48.20/32
134.170.48.22/32
134.170.65.86/32
134.170.170.86/32
137.116.172.39/32
137.135.65.72/32
191.235.87.181/32
191.237.40.220/32
2a01:111:f406:8800::/64
2a01:111:f406:400::/64
2a01:111:f406:1c01::/64
2a01:111:f406:9400::/64
2a01:111:f406:2402::/64
2a01:111:f406:a804::/64 
2a01:111:f406:b401::/64
2620:1ec:c11::204
2a01:111:202c::204
2620:1ec:c11::205
2a01:111:202c::205
2603:1020:201::37
2a01:111:f100:a004::bfeb:8ba7
2a01:111:f100:7000::6fdd:6cd5
2a01:111:f100:2002::8975:2da8

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Office 365 Video | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office Clients | Office Online | Yammer | Sway | Planner)

Yammer

To use Yammer, you must be able to connect to the endpoints marked required below.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

3

Required: Yammer

Client Computer | Logged on user

*.yammer.com1

*.yammerusercontent.com1

No

No

Yammer IP Ranges.

TCP 443

4

Required: Yammer

Client Computer | Logged on user

*.assets-yammer.com1

Varies

No

N/A

TCP 443

5

Optional: Document, video, & image storage/rendering

Client Computer | Logged on user

ajax.googleapis.com

*.cloudfront.net

No

No

N/A

TCP 443

1 This FQDN needs to be in your client's IE Trusted Sites Zone to function.

Note: The wildcard for yammer.com represents a long list of nodes that are exclusively used for Office 365.

Yammer IPv4 endpoints routable through the Internet only

13.107.6.158/31
13.107.9.158/31
134.170.148.0/22

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Office 365 Video | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office Clients | Office Online | Yammer | Sway | Planner)

Sway

To use Sway, you must be able to connect to the endpoints marked required below.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

3

Required: Sway

Client Computer | Logged on user

sway.com

www.sway.com

eus-www.sway.com

eus-000.www.sway.com

eus-001.www.sway.com

eus-002.www.sway.com

eus-003.www.sway.com

eus-004.www.sway.com

eus-005.www.sway.com

eus-006.www.sway.com

eus-007.www.sway.com

eus-008.www.sway.com

eus-009.www.sway.com

eus-00a.www.sway.com

eus-00b.www.sway.com

eus-00c.www.sway.com

eus-00d.www.sway.com

eus-00e.www.sway.com

wus-www.sway.com

wus-000.www.sway.com

wus-001.www.sway.com

wus-002.www.sway.com

wus-003.www.sway.com

wus-004.www.sway.com

wus-005.www.sway.com

wus-006.www.sway.com

wus-007.www.sway.com

wus-008.www.sway.com

wus-009.www.sway.com

wus-00a.www.sway.com

wus-00b.www.sway.com

wus-00c.www.sway.com

wus-00d.www.sway.com

wus-00e.www.sway.com

No

No

Sway IP Ranges.

TCP 443

4

Required: Sway

Client Computer | Logged on user

eus-www.sway-cdn.com

wus-www.sway-cdn.com

eus-www.sway-extensions.com

wus-www.sway-extensions.com

Akamai

No

N/A

TCP 443

5

Optional: Sway website analytics

Client Computer | Logged on user

c.microsoft.com c1.microsoft.com

prod.msocdn.com

www.google-analytics.com

No

No

N/A

TCP 443

6

Optional: Sway third party content

Client Computer | Logged on user

Access to third party content such as Bing, Flickr, and so on.

No

No

N/A

TCP 443

Sway IPv4 endpoints routable through the Internet only

40.76.22.51
40.76.30.255
40.76.213.143
40.76.216.125
40.76.221.181
40.76.222.175
40.83.185.108
40.114.8.214
40.114.14.121
40.114.15.142
40.114.45.182
40.114.40.12
40.114.51.204
40.114.51.239
40.118.210.94
40.112.188.120
40.118.131.134
40.118.135.86
40.118.131.27
40.118.209.10
104.41.155.129
104.210.43.160
137.135.51.71
137.135.52.204
138.91.155.70
138.91.159.117
138.91.160.172
138.91.245.66

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Office 365 Video | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office Clients | Office Online | Yammer | Sway | Planner)

Planner

To use Planner, you must be able to connect to the endpoints marked required below.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Portal and shared

See Office 365 portal and shared including the well known certificate root CRLs.

3

Required: Planner

Browser/ authenticated user

tasks.office.com

controls.office.com

cus-000.tasks.osi.office.net

ea-000.tasks.osi.office.net

eus-zzz.tasks.osi.office.net

neu-000.tasks.osi.office.net

sea-000.tasks.osi.office.net

weu-000.tasks.osi.office.net

wus-000.tasks.osi.office.net

No

No

Planner IP Ranges.

TCP 443

4

Required: Planner

Browser/ authenticated user

outlook.office365.com

www.outlook.com

No

Yes

Exchange Online IP ranges & Portal and shared IP ranges.

TCP 443

5

Required: Planner

Browser/ authenticated user

clientlog.portal.office.com

No

No

Portal and shared IP ranges.

TCP 443

6

Required: Planner CDNs

Browser/ authenticated user

ajax.aspnetcdn.com

prod.msocdn.com

Akamai

No

N/A

TCP 443

Planner IPv4 endpoints routable through the Internet only

13.107.6.160/32
13.107.9.160/32
23.97.56.236/32
23.97.78.215/32
40.76.80.180/32
40.112.223.206/32
40.127.139.229/32
104.40.214.0/32
104.43.235.252/32

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Office 365 Video | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office Clients | Office Online | Yammer | Sway | Planner)

Microsoft Teams

To use Microsoft Teams you must be able to connect to the endpoints marked required below.

Row

Purpose

Source |Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Microsoft Teams.

Client computer / logged on user

teams.skype.com

teams.microsoft.com

api.teams.skype.com

img.teams.skype.com

webhook.teams.skype.com

statics.teams.skype.com

statics.teams.microsoft.com

bots.teams.skype.com

settings.teams.skype.com

emails.teams.skype.com

emails.teams.skype.net

N/A

No

N/A

TCP 443

3

Required: Microsoft Teams collaboration

Client computer / logged on user

*.conv.skype.com1

*.asm.skype.com1

*.cc.skype.com1

*.msg.skype.com1

*.trouter.io1

*.dc.trouter.io1

prod.registrar.skype.com

prod.tpc.skype.com

amer-client-ss.msg.skype.com

amer-server-ss.msg.skype.com

us-api.asm.skype.com

emea-client-ss.msg.skype.com

emea-server-ss.msg.skype.com

eu-api.asm.skype.com

apac-client-ss.msg.skype.com

apac-server-ss.msg.skype.com

ea-api.asm.skype.com

N/A

No

N/A

TCP 443

4

Required: Microsoft Teams media

Client computer / logged on user

N/A

N/A

No

13.107.3.0/24
13.107.8.0/24
104.44.195.0/24
104.44.200.0/24
104.44.201.0/24

TCP 443

UDP 3478-3481

UDP + TCP 50000-60000

5

Required: Microsoft Teams shared services

Client computer / logged on user

*.blob.core.windows.net

*.config.skype.com2

*.feedback.skype.com

*.licensing.mp.microsoft.com

*.msedge.net

*.pipe.skype.com

mobile.pipe.aria.microsoft.com

ssdesktopbuild.blob.core.windows.net

s-0001.s-msedge.net

s-0002.s-msedge.net

scsquery-ss-us.trafficmanager.net

scsquery-ss-eu.trafficmanager.net

scsquery-ss-asia.trafficmanager.net

N/A

No

N/A

TCP 443

a.config.skype.com

b.config.skype.com

N/A

Yes

Skype for Business IP ranges.

TCP 443

6

Optional: Microsoft Teams third-party integrations

Client computer / logged on user

*.giphy.com

N/A

No

N/A

TCP 443

7

Optional: Messaging interop with Skype for Business

Client computer / logged on user

skypemaprdsitus.trafficmanager.net

pipe.skype.com

swx.cdn.skype.com

latest-swx.cdn.skype.com

graph.skype.com

N/A

No

N/A

TCP 443

*.lync.com

N/A

Yes

Skype for Business IP ranges.

TCP 443

8

Optional: Messaging interop with Skype for Business Client Configurations

Client computer / logged on user

a.config.skype.comb.config.skype.com

config.edge.skype.com

N/A

Yes

13.107.3.128/32
13.107.3.129/32
23.99.213.58/32
23.101.115.193/32
23.101.116.26/32
23.101.156.198/32
23.101.158.111/32
23.102.17.214/32
23.102.24.114/32
40.68.229.156/32
40.68.230.133/32
40.78.145.194/32
104.40.75.8/32
104.40.76.196/32
191.233.80.151/32
191.233.95.169/32
191.234.19.21/32
191.234.20.241/32
191.234.21.145/32
191.234.23.27/32

TCP 443

1 These wildcards represent regional installations of these services.

2 There are specific sub-FQDNs within this domain that are available on ExpressRoute, learn more by reading the section, Deciding which applications and features route over ExpressRoute.

Microsoft Teams IPv4 endpoints routable through the Internet only

Microsoft Teams IPv6 endpoints routable through the Internet only

13.67.186.105/32
13.67.214.76/32
13.67.222.144/32
13.67.234.27/32
13.75.42.168/32
13.88.183.247/32
13.89.44.84/32
13.91.40.251/32
13.91.108.91/32
13.93.209.18/32
13.94.47.37/32
13.95.236.192/32
13.107.3.0/24
13.107.8.0/24
23.99.101.49/32
23.99.115.104/32
23.99.121.255/32
23.99.122.87/32
23.99.124.9/32
40.77.16.36/32
40.78.68.158/32
40.78.71.48/32
40.79.38.101/32
40.79.74.185/32
40.83.176.46/32
40.86.90.132/32
52.163.224.242/32
52.163.231.126/32
52.164.255.104/32
52.165.35.53/32
52.169.30.95/32
52.169.105.194/32
52.169.106.115/32
52.174.166.73/32
52.174.166.107/32
52.174.166.156/32
52.175.38.240/32
52.178.34.159/32
52.178.36.12/32
52.178.36.169/32
52.178.38.115/32
52.178.145.227/32
52.178.148.1/32
52.178.148.152/32
52.178.158.225/32
104.42.229.230/32
104.44.195.0/24
104.44.200.0/24
104.44.201.0/24
104.46.96.162/32
104.46.97.194/32
104.46.101.116/32
104.46.105.95/32
104.208.152.137/32
104.210.1.218/32
111.221.101.75/32
137.116.157.126/32
137.116.159.19/32
137.116.159.228/32
2620:1ec:6::/48

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Office 365 Video | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office Clients | Office Online | Yammer | Sway | Planner)

Office clients

Office clients include both desktop and mobile clients, the online endpoints these applications use to improve the product experience are detailed below.

Network requests in Office 2016 for Mac

To understand Office 2016 for Mac endpoint requirements, refer to our reference article Network requests in Office 2016 for Mac.

Network requests for Office clients

To understand Office client network requests including, Office 365 ProPlus, Office 2016 for Windows, Outlook App for iOS and Windows, and OneNote refer to the article Network requests in Office 365 ProPlus.

Office 365 remote analyzer tools

To use the Office 365 remote analyzer tools you must be able to connect to the endpoints described below.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

1

Required: Remote Connectivity Analyzer - Initiate connectivity tests.

Web Browser | Logged on user

testconnectivity.microsoft.com

No

No

13.67.59.89/32

40.85.91.8/32

104.208.36.70/32.

TCP 80 & 443

2

Required: Remote Connectivity Analyzer - Captcha & support services

Web Browser | Logged on user

client.hip.live.com

wu.client.hip.live.com

support.microsoft.com

No

No

N/A

TCP 80 & 443

3

Required: Remote Connectivity Analyzer - Execution of the tests selected by the customer.

testconnectivity.microsoft.com | Provided by customer on the testconnectivity website

On-premises systems for email and collaboration.

No

No

Customer IP ranges

80, 443, 25, POP3 on (110, 995, or Custom), IMAP4 on (143, 993, or Custom)

4

Required: Certificate revocation lists

Web Browser | Logged on user

See well known certificate root CRLs in the table below.

No

No

N/A

TCP 80 & 443

5

Required: Microsoft Support and Recover Assistant for Office 365 - Validate single sign-on user credentials.

o365diagnosticsbasic-eus.cloudapp.net (104.211.54.99)

o365diagnosticworker-eus.cloudapp.net (104.211.54.134)

On-premises STS

No

No

Customer IP ranges

Customer configurable. Typically TCP 443

(Back to top | Office 365 portal and shared | Office 365 authentication and identity | Exchange Online | Skype for Business Online | SharePoint Online | Office 365 Video | Exchange Online Protection (EOP) | Office 365 remote analyzer tools | Office Clients | Office Online | Yammer | Sway | Planner)

See Also

Network connectivity to Office 365

Managing Office 365 endpoints

Troubleshooting Office 365 connectivity

Client connectivity

Content delivery networks

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×