Office Support / Office 365 Admin / Setup

Office 365 URLs and IP address ranges

Summary   : This article lists all endpoints used by Office 365. If your organization restricts computers on your network from connecting to the Internet, this article lists the endpoints (FQDNs, IPv4, and IPv6 address ranges) you should include in your outbound allow lists and Internet Explorer Trusted Sites Zone of client computers to ensure your computers can successfully use Office 365. FQDN allow lists are the recommended approach due to the modern web architecture of Office 365.

Subscribe via RSS RSS to receive notice when URLs and IP addresses are changed.

If you are using Office 365 operated by 21Vianet in China, see URLs and IP address ranges for Office 365 operated by 21Vianet. If you’ve already deployed Office 365 are troubleshooting connectivity issues, check out our Network planning and performance tuning for Office 365.

  IP addresses filtering isn’t a complete solution due to dependencies on Content Delivery Networks (CDNs)

Many Office 365 features rely on Microsoft and/or 3rd party Content Delivery Networks. We are unable to provide the IP addresses of those services. To understand more about CDNs and regional datacenters, please see our further explanation of Content delivery networks and Client connectivity. Filtering by IP address works for connections directly to Office 365. Some 3rd party services don't publish their IP addresses making IP address filtering difficult . The following is a list of additional problem areas when using only IP address filtering:

  • Web clients such as the Office 365admin portal or Outlook Web App won’t be able to authenticate.

  • Updates will be required as frequently as weekly.

  • Certificate Revocation Lists (CRLs) are a required part of using Office 365 securely, IP addresses are unavailable for CRL endpoints.

  • Future non-web based clients may not be able to authenticate.

  • Additional Office 365 infrastructure won’t become instantly available to client computers.

  • There will be more emergency or retroactive updates

Tip   If IP address filtering is your only option, an automatic proxy configuration file can be used to route the destinations marked below as CDNs through an alternate path, such as through an outbound proxy.

Some of our services do overlap with one another and you will notice the overlap or duplication in the lists of endpoints. There is also some domain name overlapping with our consumer services; while the root domain name is the same, Office 365 operates from a separate sub-domain. If you’re going to add IP addresses to your allow lists, keep in mind that IPv6 is optional and not required. We provide it here for customers who wish to use IPv6.

  In most cases, updates are made to this page 14-30 days ahead of the end point being used. Occasionally emergency capacity will be added with a shorter notification window. We know this can be problematic and recommend using URL filtering instead of IP filtering to reduce the impact of these unavoidable emergencies. All notifications will be made via the RSS feed. You should subscribe to the feed in your favorite reader. Here is how to subscribe via Outlook or you can have the RSS feed updates emailed to you.

Want to access the IP addresses programmatically? We now offer all updates via XML.

Office 365 portal and identity

The endpoints listed in this section are only to support the portal and identity portion of Office 365. You’ll want to add these along with the endpoints for each of the workloads you’re deploying on your network.

If you’re using Active Directory Federation Services (AD FS) with your deployment, you can also use AD FS client access policies with Windows Server 2012 R2 or client access policies with AD FS 2.0 and to further restrict and control access to Office 365.

Purpose

Credentials Used

Source

Source Port

Destination

CDN Provider(s)

Destination IP

Destination Port

Required: Office 365 Portal and help content

logged on user

Client Computer

Ephemeral ports

Portal.Office.com

Home.Office.com

*.office365.com

*.office.com

*.office.net

See row three and four

See tables below.

TCP 80 & 443

Required: Authentication and support services

logged on user

Client Computer

Ephemeral ports

*.microsoftonline.com

*.microsoft.com

*.live.com

*.windows.net

See row three and four

See tables below.

TCP 80 & 443

Required: CDNs used for portal and authentication

logged on user

Client Computer

Ephemeral ports

*.microsoftonline-p.com

*.microsoftonline-p.net

*.microsoftonlineimages.com

*.msecnd.net

Microsoft

IP addresses not provided

TCP 80 & 443

Required: CDNs used for portal and authentication

logged on user

Client Computer

Ephemeral ports

*.msocdn.com

Akamai

IP addresses not provided

TCP 80 & 443

Required: Default tenant namespace (mail routing, etc.)

logged on user

Client Computer

TCP 80, 25, & 443

*.onmicrosoft.com

Various

See tables below.

TCP 80, 25, & 443

Required: Global DNS load balancing services

logged on user

Client Computer

TCP 80 & 443

*.glbdns.microsoft.com

None

IP addresses not provided

TCP 80 & 443

Required: Microsoft Azure Active Directory

logged on user

Client Computer

Ephemeral ports

*.activedirectory.windowsazure.com

None

See tables below.

TCP 80 & 443

Optional: Microsoft Azure Active Directory (MFA)

logged on user

Client Computer

Ephemeral ports

*.phonefactor.net

None

See tables below.

TCP 80 & 443

Required: Certificate revocation lists

logged on user

Client Computer

TCP 80 & 443

See well known certificate root CRLs in the table below.

None

IP addresses not provided

TCP 80 & 443

Optional: Azure Rights Management

logged on user

Client Computer

Ephemeral ports

*.aadrm.com

*.azurerms.com

*.cloudapp.net

None

IP addresses not provided

TCP 80 & 443

Optional: Microsoft Azure Active Directory RemoteApp

logged on user

Client Computer

Ephemeral ports

dc.services.visualstudio.com

liverdcxstorage.blob.core.windowsazure.com

telemetry.remoteapp.windowsazure.com

vortex.data.microsoft.com

www.remoteapp.windowsazure.com

None

IP addresses not provided

TCP 443

Optional: DirSync (legacy)

Machine^ and Service Account

DirSync Server

TCP 80 & 443

*.microsoftonline.com

*.windows.net

+Certificate Revocation Lists (see table below)

None

See tables below.

TCP 80 & 443

Optional: Azure AD Connect (recommended)

Service Account

Azure AD Connect Server

TCP 80 & 443

*.microsoftonline.com

*.windows.net

+Certificate Revocation Lists (see table below)

None

See tables below.

TCP 80 & 443

Optional: Azure AD Connect (w/SSO option) – WinRM & remote powershell

Service Account

Client Computer

TCP 80 & 443

Customer STS environment (AD FS Server and AD FS Proxy)

None

Customer environment

TCP 80 & 443

Optional: STS such as AD FS Proxy server(s) (for federated customers only)

None

Client Computer

TCP 443 or TCP 49443 w/ClientTLS

Customer STS (such as AD FS Proxy)

None

Customer environment

TCP 443 or TCP 49443 w/ClientTLS

Optional: AD FS Proxy server(s) (for federated customers only)

None

Customer AD FS Proxy (WAP)

TCP 443

Customer AD FS Server (FS)

None

Customer environment

TCP 443

Optional: Office 365 Management Pack for Operations Manager

Machine^ Account

Customer Operations Manager environment

TCP 80 & 443

office365servicehealthcommunications.cloudapp.net

None

IP addresses not provided

TCP 443

^Keep in mind that Machine accounts won’t work with proxies that require outbound authentication.

Portal and Identity uses the following IP ranges.

Office 365 IPv4 Addresses

Office 365 IPv6 Addresses

Certificate Revocation List (Root URLs)

23.96.208.238
23.97.64.252
23.97.66.55
23.97.66.110
23.97.68.113
23.97.70.147
23.97.72.158
23.97.72.161
23.97.72.165
23.97.98.128
23.97.99.4
23.97.99.164
23.97.100.76
23.97.100.92
23.97.100.105
23.97.100.152
23.97.102.90
23.97.103.118
23.97.139.122
23.97.145.9
23.97.148.36
23.97.148.228
23.97.152.190
23.98.66.168
23.98.69.116
23.98.70.90
23.99.116.116
23.99.121.207
23.99.128.120
23.99.129.26
23.99.129.173
23.99.193.105
23.99.194.77
23.99.196.232
23.99.226.167
23.99.227.124
23.100.86.91
23.101.14.229
23.101.19.99
23.101.25.224
23.101.30.126
23.101.178.227
23.101.187.91
23.102.4.253
23.102.64.16
23.102.64.138
23.102.64.255
23.102.65.171
23.102.65.203
23.102.65.221
23.102.155.140
65.52.26.28
65.52.64.61
65.52.64.230
65.52.129.119
65.52.136.224
65.52.144.125
65.52.148.27
65.52.160.218
65.52.176.72
65.52.184.75
65.52.196.64
65.52.209.62
65.52.219.207
65.52.228.75
65.52.228.99
65.52.228.100
65.52.232.52
65.52.233.128
65.52.236.160
65.52.240.73
65.52.240.200
65.52.244.66
65.54.54.32/27
65.54.55.201
65.54.74.0/23
65.54.80.0/20
65.54.165.0/25
65.55.86.0/23
65.55.233.0/27
65.55.239.168
70.37.56.152
70.37.81.47
70.37.97.234
70.37.128.0/23
70.37.142.0/23
70.37.150.128/25
70.37.159.0/24
70.37.160.72
70.37.160.202
94.245.68.0/22
94.245.82.0/23
94.245.84.0/24
94.245.86.0/24
94.245.88.223
94.245.88.194
94.245.117.53
94.245.108.85
104.41.1.233
104.41.207.73
104.43.140.223
104.45.11.195
104.45.214.112
104.46.1.211
104.46.50.125
104.209.190.8
104.210.4.77
104.210.40.87
104.210.212.243
104.215.146.200
104.215.198.144
111.221.16.0/21
111.221.24.0/21
111.221.70.0/25
111.221.71.0/25
111.221.104.43
111.221.111.196
111.221.127.112/28
132.245.0.0/16
134.170.0.0/16
137.135.47.6
137.135.47.4
137.135.47.28
137.116.32.43
137.116.32.61
137.116.32.101
137.116.48.66
137.116.48.69
137.116.49.27
137.116.49.210
137.116.64.35
137.116.64.162
137.116.65.59
137.116.66.126
137.116.80.106
137.116.81.187
137.116.129.62/32
137.116.242.169
137.117.99.175
137.117.103.21
137.117.146.106
137.117.198.210
137.135.41.12/32
137.135.42.195/32
137.135.43.100/32
137.135.44.5/32
137.135.44.73/32
137.135.48.128/32
137.135.60.254
137.135.160.110
138.91.1.59
138.91.2.208
138.91.2.210
138.91.2.212
138.91.17.43
138.91.17.108
138.91.18.52
138.91.64.46
138.91.246.237
157.55.45.128/25
157.55.59.128/25
157.55.80.41
157.55.80.94
157.55.80.175
157.55.80.182
157.55.84.13/32
157.55.84.19/32
157.55.84.80/32
157.55.84.237/32
157.55.130.0/25
157.55.145.0/25
157.55.155.0/25
157.55.161.59
157.55.161.75
157.55.168.18
157.55.168.184
157.55.176.63
157.55.177.39
157.55.184.223
157.55.185.100
157.55.194.46
157.55.208.58
157.55.208.198
157.55.208.218
157.55.227.192/26
157.55.252.101
157.56.0.0/16
157.56.8.78
157.56.28.192
157.56.162.166
168.61.32.214
168.61.33.178/32
168.61.35.252/32
168.61.36.121
168.61.37.63/32
168.61.38.105
168.61.39.14/32
168.61.82.81/32
168.61.83.48/32
168.61.85.180/32
168.61.85.193/32
168.61.144.76
168.61.170.80
168.61.208.197
168.62.4.28
168.62.4.48
168.62.11.24
168.62.11.117
168.62.16.112
168.62.16.140
168.62.16.149
168.62.16.252
168.62.24.38
168.62.24.104
168.62.24.114
168.62.24.150
168.62.29.225
168.62.41.25
168.62.42.89
168.62.43.8
168.62.52.198
168.62.52.203
168.62.56.108
168.62.60.71
168.62.60.80
168.62.104.146
168.62.105.126
168.62.105.217
168.62.106.152
168.62.176.34
168.62.179.4
168.62.180.151
168.62.202.67
168.62.204.209
168.63.16.66/32
168.63.16.112/32
168.63.16.114/32
168.63.16.141
168.63.17.108
168.63.17.221/32
168.63.18.131
168.63.25.227
168.63.27.2
168.63.29.74
168.63.52.117
168.63.92.133
168.63.100.61
168.63.138.56
168.63.139.159
168.63.152.235
168.63.166.200
168.63.165.67
168.63.164.177
168.63.172.54
168.63.173.188
168.63.208.73/32
168.63.213.203/32
168.63.213.238
168.63.214.35/32
168.63.216.117/32
168.63.250.173/32
168.63.252.39/32
168.63.252.62
168.63.252.71/32
191.232.2.128/25
191.233.32.111
191.233.32.201
191.233.37.141
191.234.6.0/24
191.234.55.177
191.235.135.139
191.235.135.222
191.236.88.160
191.236.155.80
191.236.192.179
191.237.128.159
191.237.218.239
191.238.80.160
191.238.80.241
191.238.81.69
191.238.83.220
191.238.160.173
191.238.177.236
191.238.224.150
191.239.64.124
191.239.64.125
191.239.64.129
191.239.64.130
191.239.64.131
191.239.64.132
191.239.64.133
191.239.64.134
191.239.160.4
191.239.160.93
191.239.160.143
191.239.160.140
191.239.160.144
191.239.160.145
191.239.160.141
191.239.160.142
207.46.57.128/25
207.46.70.0/24
207.46.73.250
207.46.129.169
207.46.198.0/25
207.46.206.0/23
207.46.216.54
213.199.128.58
213.199.128.91
213.199.128.119
213.199.132.97
213.199.148.0/23
213.199.182.128/25
2801:80:1d0:1c00::/64
2a01:111:f406:1000::/64
2a01:111:f406:1801::/64
2a01:111:f406:1::/64
2a01:111:f406:a003::/64
2a01:111:f100:1004::4134:f0c8
2603:1030:800:5::bfee:a0ad
2a01:111:f100:a001::a83f:5c85
2a01:111:f100:8001::d5c7:8077
2a01:111:f100:7000::6fdd:682b
2a01:111:f102:8001::1761:4237
crl.microsoft.com 
evsecure-ocsp.verisign.com
evsecure-aia.verisign.com
evsecure-crl.verisign.com
sa.symcb.com
sd.symcb.com
*.omniroot.com
*.verisign.com
*.symcb.com
*.symcd.com
*.verisign.net
*.geotrust.com
*.entrust.net
*.public-trust.com

(Back to top)

Exchange Online

If you have licensed Exchange Online as a standalone or as part of a suite, you must be able to reach the following endpoints. Where there is a reference to another section such as the references to Office 365 portal and identity and Exchange Online Protection, you will need to ensure the endpoints listed in those tables are also included in your outbound allow lists.

Purpose

Credentials Used

Source

Source Port

Destination

CDN Provider(s)

Destination IP

Destination Port

Required: Authentication

See Office 365 portal and identity

Required: Portal

See Office 365 portal and identity

Required:Exchange OnlineProtection

See Exchange Online Protection (EOP)

Required: Client SMTP Relay

Logged on user

Client Computer

Ephemeral ports

smtp.office365.com

None

See table below.

TCP 587

Required:Exchange Online

Logged on user

Client Computer

Ephemeral ports

outlook.office365.com

outlook.office.com

None

See table below.

TCP 80 & 443

Required:Exchange Online

Logged on user

Client Computer

Ephemeral ports

r1.res.office365.com

Akamai

IP addresses not provided

TCP 80 & 443

Required:Exchange Online

Logged on user

Client Computer

Ephemeral ports

r3.res.office365.com

Akamai

IP addresses not provided

TCP 80 & 443

Required:Exchange Online

Logged on user

Client Computer

Ephemeral ports

r4.res.office365.com

Akamai

IP addresses not provided

TCP 80 & 443

Required:Exchange Online

Logged on user

Client Computer

Ephemeral ports

*.outlook.com

None

See table below.

TCP 80 & 443

Required: Certificate revocation lists

logged on user

Client Computer

TCP 80 & 443

See well known certificate root CRLs in the table below.

None

IP addresses not provided

TCP 80 & 443

Optional: Exchange Hybrid Only

Machine account^

Existing Exchange Client Access Servers

TCP 80 & 443

outlook.office365.com

outlook.office.com

None

See table below.

TCP 80 & 443

Optional: Exchange Hybrid Co-existence

N/A

Exchange Online IPs (See table below.)

Dynamic

Customer on-premise Exchange

None

Customer IP

TCP 443

Optional: Exchange Proxy Authentication

N/A

Exchange Online IPs (See table below.)

Dynamic

Customer on-premise STS

None

Customer IP

TCP 443

Optional: Exchange Hybrid Configuration Wizard

N/A

Existing Exchange service

Ephemeral ports

hybridconfiguration.azurewebsites.net

*.hybridconfiguration.azurewebsites.net

None

IP addresses not provided

TCP 443

Optional:Exchange OnlineIMAP4 migration

N/A

IMAP4 Service

TCP 143/993

outlook.office365.com

outlook.office.com

None

See table below.

TCP 143/993

Optional:Exchange OnlinePOP3 migration

N/A

POP3 Service

TCP 995

outlook.office365.com

outlook.office.com

None

See table below.

TCP 995

Optional: All other Exchange Online migration tools

N/A

Existing Exchange service (EWS or MRS)

TCP 80 & 443

outlook.office365.com

outlook.office.com

None

See table below.

TCP 80 & 443

^Keep in mind that Machine accounts won’t work with proxies that require outbound authentication.

Exchange Online uses the following IP ranges.

Exchange Online IPv4 Addresses

Exchange Online IP Addresses

Well known certificate root FQDNs

23.103.160.0/20
23.103.224.0/19
40.96.0.0/16
40.97.0.0/16
40.98.0.0/16
40.99.0.0/16
40.100.0.0/16
40.101.0.0/16
40.102.0.0/16
40.103.0.0/16
40.104.0.0/16
40.105.0.0/16
65.54.62.0/25
65.55.39.128/25
65.55.78.128/25
65.55.94.0/25
65.55.113.64/26
65.55.126.0/25
65.55.174.0/25
65.55.181.128/25
70.37.151.128/25
94.245.117.128/25
111.221.23.128/25
111.221.66.0/25
111.221.69.128/25
111.221.112.0/21
131.253.33.215
132.245.0.0/16
191.234.192.0/19
157.55.9.128/25
157.55.11.0/25
157.55.47.0/24
157.55.49.0/24
157.55.61.0/24
157.55.157.128/25
157.55.224.128/25
157.55.225.0/25
157.56.0.0/16
191.234.6.152
191.234.140.0/22
191.234.224.0/22
204.79.197.215
206.191.224.0/19
207.46.4.128/25
207.46.58.128/25
207.46.198.0/25
207.46.203.128/26
213.199.174.0/25
213.199.177.0/26
2a01:111:f400::/48
crl.microsoft.com 
evsecure-ocsp.verisign.com
evsecure-aia.verisign.com
evsecure-crl.verisign.com
sa.symcb.com
sd.symcb.com
*.omniroot.com
*.verisign.com
*.symcb.com
*.symcd.com
*.verisign.net
*.geotrust.com
*.entrust.net
*.public-trust.com

(Back to top)

Skype for Business Online

If you have licensed Skype for Business Online as a standalone or as part of a suite, you must be able to reach the Office 365 portal and identity URLs as well as the Skype for Business Online URLs or IP addresses. It’s also important to ensure you are able to reach the certificate root authorities as all Skype for Business Online communications are protected, you’ll find a partial list of possible root authorities client computers will need to be able to access.

Purpose

Credentials Used

Source

Source Port

Destination

CDN Provider(s)

Destination IP

Destination Port

Required: Authentication

See Office 365 portal and identity

Required: Portal

See Office 365 portal and identity

Required: SIP signaling

Logged on user

Client Computer

Ephemeral ports

*.Lync.com

None

See table below.

TCP 443

Required: Persistent Shared Object Model (PSOM) connections web conferencing

Logged on user

Client Computer

Ephemeral ports

*.Lync.com

None

See table below.

TCP 443

Required: HTTPS downloads

Logged on user

Client Computer

Ephemeral ports

*.Lync.com

None

See table below.

TCP 443

Required: Audio

Logged on user

Client Computer

TCP/UDP 50,000-50019

*.Lync.com

None

See table below.

TCP 443, UDP 3478, TCP/UDP 50,000-59,999

Required: Video

Logged on user

Client Computer

TCP/UDP 50,020-50039

*.Lync.com

None

See table below.

TCP 443, UDP 3478, TCP/UDP 50,000-59,999

Required: Desktop sharing

Logged on user

Client Computer

TCP/UDP 50,040-50059

*.Lync.com

None

See table below.

TCP 443, TCP 50,000-59,999

Required: Lync Mobile push notifications for Lync Mobile 2010 on iOS devices. You don't need this for Android, Nokia Symbian or Windows Phone mobile devices.

Logged on user

Client Computer

Ephemeral ports

*.Lync.com

None

See table below.

TCP 5223

Required: Certificate revocation lists

logged on user

Client Computer

TCP 80 & 443

See well known certificate root CRLs in the table below.

None

IP addresses not provided

TCP 80 & 443

Skype for Business Onlineuses the following IP ranges.

Skype for Business Online IPv4 Addresses

Skype for Business Online IPv6 Addresses

Well known certificate root FQDNs

23.103.128.0/25
23.103.128.128/25
23.103.129.0/25
23.103.129.128/25
23.103.130.0/26
23.103.130.64/26
23.103.130.128/26
23.103.130.192/26
23.103.176.128/26
23.103.176.192/27
23.103.178.128/26
23.103.178.192/27
40.110.0.0/16
65.55.121.128/27
65.55.127.0/24
66.119.157.0/25
66.119.157.160/27
66.119.157.192/26
66.119.158.0/25
111.221.17.128/27
111.221.22.64/26
111.221.76.96/27
111.221.76.128/25
111.221.77.0/26
111.221.122.192/26
131.253.128.0/25
131.253.128.128/25
131.253.129.0/25
131.253.129.128/26
131.253.129.143
131.253.130.0/25
131.253.130.128/26
131.253.131.0/25
131.253.131.128/26
131.253.132.0/25
131.253.134.0/25
131.253.136.0/25
131.253.136.128/25
131.253.138.128/25
131.253.140.128/25
131.253.141.128/25
131.253.160.0/26
131.253.160.128/26
131.253.160.64/26
131.253.161.128/26
131.253.161.192/26
131.253.162.128/26
131.253.178.0/27
131.253.178.64/27
132.245.0.0/24
132.245.1.0/25
132.245.112.0/24
132.245.113.0/25
132.245.128.0/24
132.245.129.0/25
132.245.161.0/24
132.245.162.0/25
132.245.192.0/24 
132.245.193.0/25
132.245.208.0/24
132.245.209.0/25
134.170.0.0/25
134.170.53.32/27
134.170.54.0/26
134.170.54.128/25
134.170.58.224/27
134.170.113.192/26
134.170.115.0/27
134.170.115.128/25
134.170.119.224/27
157.55.40.128/25
157.55.46.0/27
157.55.46.64/26
157.55.229.128/27
157.55.232.128/26
157.55.238.0/25
157.56.135.64/26
157.56.135.160/27
157.56.184.224/27
157.56.185.0/26
191.232.80.96/27
191.232.83.0/27
191.232.83.32/27
191.232.83.64/27
207.46.5.0/24
207.46.7.128/27
207.46.57.0/25
2a01:111:12:5::/64
2a01:111:2007:3::/64
2a01:111:200f:6::/64
2a01:111:200f:7::/64 
2a01:111:2012:2::/64 
2a01:111:2012:3::/64
2a01:111:202b:4::/64
2a01:111:2034:2::/64
2a01:111:2035:6::/64
2a01:111:2035:6::/64
2a01:111:2035:7::/64
2a01:111:2035:7::/64
2a01:111:2036:2::/64
2a01:111:203e:1::/64
2a01:111:2040:1::/64
2a01:111:2046:4::/64
2a01:111:2a:7::/6
2a01:111:2a:8::/64
2a01:111:2a:9::/64
2a01:111:2a:a::/64
2a01:111:2b:2::/64
2a01:111:306:2::/64
2a01:111:307:2::/64
2a01:111:41:1::/64
2a01:111:43:1::/64
2a01:111:6:4::/64
2a01:111:f402:5803::/64
2a01:111:f404:0c06::/64
2a01:111:f404:0c07::/64
2a01:111:f404:0c09::/64
2a01:111:f404:0c0a::/64
2a01:111:f404:3400::/64
2a01:111:f404:3401::/64
2a01:111:f404:8002::/64
2a01:111:f404:8003::/64
2a01:111:f404:9400::/64
2a01:111:f404:9401::/64
2a01:111:f404:a000::/64
2a01:111:f404:a001::/64
2a01:111:f404:a800::/64
2a01:111:f404:a801::/64
2a01:111:f406:2400::/64
2a01:111:f406:2401::/64
2a01:111:f406:402::/64
2a01:111:f406:403::/64
crl.microsoft.com 
evsecure-ocsp.verisign.com
evsecure-aia.verisign.com
evsecure-crl.verisign.com
sa.symcb.com
sd.symcb.com
*.omniroot.com
*.verisign.com
*.symcb.com
*.symcd.com
*.verisign.net
*.geotrust.com
*.entrust.net
*.public-trust.com

(Back to top)

SharePoint Online

If you have licensed SharePoint Online as a standalone or as part of a suite, you must be able to reach the Office 365 portal and identity URLs as well as the SharePoint Online URLs or IP addresses.

This list also applies to many of the new applications that are dependent on SharePoint Online, such as Power BI, Project Online, Delve, and Office 365 Video. The Yammer endpoints are listed separately.

Purpose

Credentials Used

Source

Source Port

Destination

CDN Provider(s)

Destination IP

Destination Port

Required: Authentication

See Office 365 portal and identity

Required: Portal

See Office 365 portal and identity

Required:SharePoint Online and associated applications

Logged on user

Client Computer

Ephemeral ports

*.sharepoint.com

None

See table below.

TCP 80 & 443

Required: CDNs for SharePoint Online and associated applications

logged on user

Client Computer

Ephemeral ports

*.sharepointonline.com

Cdn.sharepointonline.com

Static.sharepointonline.com

Prod.msocdn.com

Microsoft & Akamai

IP addresses not provided

TCP 80 & 443

Required:SharePoint Online inbound mail

Logged on user

See table below.

TCP 25

Customer environment

None

Customer environment

TCP 25

Required: Certificate revocation lists

logged on user

Client Computer

TCP 80 & 443

See well known certificate root CRLs in the table below.

None

IP addresses not provided

TCP 80 & 443

Optional: Required for Office 365 Video

logged on user

Client Computer

Ephemeral ports

*.streaming.mediaservices.windows.net

Azure Media Services

IP addresses not provided

TCP 443

Optional: Required for Office 365 Video

logged on user

Client Computer

Ephemeral ports

Spoprod-a.akamaihd.net

Akamai

IP addresses not provided

TCP 443

Optional: Required for OneDrive for Business

logged on user

Client Computer

Ephemeral ports

Spoprod-a.akamaihd.net

Akamai

IP addresses not provided

TCP 443

Optional: Required for OneNote notebooks

Logged on user

OneNote

Ephemeral ports

*.onenote.com

None

See table below.

TCP 443

Optional: Required for OneNote notebooks

Logged on user

OneNote

Ephemeral ports

cdn.onenote.net

Akamai

IP addresses not provided

TCP 443

Optional: Required for Delve

Logged on user

Client Computer

Ephemeral ports

r3.res.outlook.com

Akamai

IP addresses not provided

TCP 443

SharePoint Online uses the following IP ranges.

SharePoint Online IPv4 Addresses

SharePoint Online IPv6 Addresses

Well known certificate root FQDNs

40.108.0.0/16
40.109.0.0/16
42.159.34.0/27
42.159.38.0/23
42.159.162.0/27
42.159.166.0/23
65.52.45.0/24
65.55.22.32/27
70.37.151.64/27
94.245.113.160/27
104.146.0.0/15
111.221.17.160/27
111.221.20.128/25
111.221.22.32/27
111.221.22.192/27
111.221.64.160/27
111.221.67.0/25
134.170.200.0/21
134.170.208.0/21
134.177.0.0/16
137.116.50.49
157.55.43.32/27
157.55.46.128/27
157.55.56.0/27
157.55.62.96/27
157.55.62.128/27
157.55.103.0/27
157.55.144.64/26
157.55.145.192/27
157.55.147.0/27
157.55.151.192/27
157.55.152.128/25
157.55.153.0/27
157.55.153.64/26
157.55.154.64/27
157.55.225.160/27
157.55.225.224/27
157.55.227.128/27
157.55.229.0/25
157.55.229.160/27
157.55.231.32/27
157.55.232.0/27
157.55.235.64/27
157.55.238.128/27
157.56.24.128/27
157.56.48.0/27
157.56.80.128/27
157.56.81.192/26
157.56.113.0/27
157.56.132.128/26
157.56.150.32/27
168.61.25.60
191.232.0.0/23
191.234.8.0/21
191.234.76.0/23
191.234.128.0/21
191.234.144.0/20
191.234.148.0/22
191.234.152.0/23
191.234.192.0/19
191.234.208.0/23
191.235.0.0/20
207.46.203.128/27
213.199.179.0/27
2a01:111:f402::/48
2801:80:1d0:1400::/54
crl.microsoft.com 
evsecure-ocsp.verisign.com
evsecure-aia.verisign.com
evsecure-crl.verisign.com
sa.symcb.com
sd.symcb.com
*.omniroot.com
*.verisign.com
*.symcb.com
*.symcd.com
*.verisign.net
*.geotrust.com
*.entrust.net
*.public-trust.com

(Back to top)

Exchange Online Protection (EOP)

If you have licensed Exchange Online Protection (EOP) as a standalone or as part of a suite, you must be able to reach the Office 365 portal and identity URLs as well as the EOP IP addresses.

Purpose

Credentials Used

Source

Source Port

Destination

CDN Provider(s)

Destination IP

Destination Port

Required: EOP

Logged on user

Client Computer

TCP 80 & 443

*.protection.outlook.com

None

See Exchange Online Protection IP Addresses

TCP 80 & 443

Required: Send email

N/A

Existing email environment

TCP 25

*.mail.protection.outlook.com

None

See Exchange Online Protection IP Addresses

TCP 25

Required: Receive email

N/A

See Exchange Online Protection IP Addresses

TCP 25

Existing email environment

None

See Exchange Online Protection IP Addresses

TCP 25

Office 365 remote analyzer tools

This list of IPv4 IP addresses is the current list required for the Office 365 remote analyzer tools.

Purpose

Credentials Used

Source

Source Port

Destination

CDN Provider(s)

Destination IP

Destination Port

Required: Initiate connectivity tests.

Logged on user

Web browse

Ephemeral ports

testconnectivity.microsoft.com

testexchangeconnectivity.com

None

See table below.

TCP 80 & 443

Required: Captcha & support services

Logged on user

Web browse

Ephemeral ports

client.hip.live.com

wu.client.hip.live.com

support.microsoft.com

None

IP addresses not provided

TCP 80 & 443

Required: Execution of the tests selected by the customer.

Provided by customer on the testconnectivity website

testconnectivity.microsoft.com

Ephemeral ports

On-premises systems for email and collaboration.

None

Customer IP ranges

80, 443, 25, POP3 on (110, 995, or Custom), IMAP4 on (143, 993, or Custom)

Required: Certificate revocation lists

logged on user

Client Computer

TCP 80 & 443

See well known certificate root CRLs in the table below.

None

IP addresses not provided

TCP 80 & 443

Office 365 remote analyzer tools use the following IP ranges.

Office 365 remote analyzer tools IP Addresses

Well known certificate root FQDNs

134.170.52.122 
134.170.52.123 
134.170.52.124 
157.56.138.141
157.56.138.142
157.56.138.143
crl.microsoft.com 
evsecure-ocsp.verisign.com
evsecure-aia.verisign.com
evsecure-crl.verisign.com
sa.symcb.com
sd.symcb.com
*.omniroot.com
*.verisign.com
*.symcb.com
*.symcd.com
*.verisign.net
*.geotrust.com
*.entrust.net
*.public-trust.com

(Back to top)

Yammer

This list of URLs and IPv4 IP subnet is the current list required for Yammer.

Purpose

Credentials Used

Source

Source Port

Destination

CDN Provider(s)

Destination IP

Destination Port

Required: Authentication

See Office 365 portal and identity

Required: Portal

See Office 365 portal and identity

Required:Yammer

Logged on user

Client Computer

Ephemeral ports

*.assets-yammer.com

*.yammer.com

*.yammerusercontent.com

None

See table below.

TCP 80 & 443

Required: Certificate revocation lists

logged on user

Client Computer

Ephemeral ports

See well known certificate root CRLs in the table below.

None

IP addresses not provided

TCP 80 & 443

Optional: Document, video, & image storage/rendering

Logged on user

Client Computer

Ephemeral ports

ajax.googleapis.com

*.cloudfront.net

None

IP addresses not provided

TCP 443

Yammer uses the following IP ranges.

Yammer IPv4 Addresses

Well known certificate root FQDNs

134.170.148.0/22
crl.microsoft.com 
evsecure-ocsp.verisign.com
evsecure-aia.verisign.com
evsecure-crl.verisign.com
sa.symcb.com
sd.symcb.com
*.omniroot.com
*.verisign.com
*.symcb.com
*.symcd.com
*.verisign.net
*.geotrust.com
*.entrust.net
*.public-trust.com

(Back to top)

Office 365 ProPlus

Here is the current list of endpoints required for Office 365 ProPlus. If you’re interested in bypassing the CDN for your deployment, you can build an internal installation point.

Purpose

Credentials Used

Source

Source Port

Destination

CDN Provider(s)

Destination IP

Destination Port

Required: This url is needed to renew the product key approximately every 30 days

Local system

Office client only

Ephemeral ports

activation.sls.microsoft.com

None

See table below.

TCP 443

Required: This URL is required to validate certificates during activation

Local system

Office client only

Ephemeral ports

crl.microsoft.com

None

IP addresses not provided.

TCP 80 & 443

Required: Required for identity and configuration services

Local system

Office client only

Ephemeral ports

odc.officeapps.live.com

clientconfig.microsoftonline-p.net

Microsoft & Akamai

See table below. CDN IP addresses not provided.

TCP 443

Required: This URL is the Office Licensing Service, which is used during activation and subscription maintenance

Local system

Office client only

Ephemeral ports

ols.officeapps.live.com

Microsoft & Akamai

See table below. CDN IP addresses not provided.

TCP 443

Required: Required for redirection services during initial Office activation and Office license heartbeat.

Local system

Office client only

TCP 80 & 443

office15client.microsoft.com

Microsoft & Akamai

See table below. CDN IP addresses not provided.

TCP 443

Required: Required to authenticate the users identity (Org Id) during initial Office entitlement check. After initial activation, not used unless re-entitlement check is required.

Logged on user

Office client only

Ephemeral ports

login.windows.net

login.microsoftonline.com

See Office 365 portal and identity

Required: Contains Office 365 ProPlus source media used for installation and/or updates. If automatic updates are configured in the default settings, the local system account is used when downloading updates.

Logged on user

Office client only

Ephemeral ports

officecdn.microsoft.com

Microsoft & Akamai

IP addresses not provided

TCP 80

Required: This URL is used to redirect to web content such as online help and error code information.

Logged on user

Office client only

Ephemeral ports

go.microsoft.com

Microsoft & Akamai

IP addresses not provided

TCP 80

Office 365 ProPlus uses the following IP ranges.

Office 365 ProPlus IPv4 Addresses

65.52.98.231
104.40.234.17
104.210.220.25
157.55.44.71
157.55.160.109
157.55.192.81
168.62.30.34 
191.236.108.93
191.236.157.212

(Back to top)

Office Online

This list of IP addresses is the current list required for Office Web Apps. MTE102837806 does not have additional URLs beyond those included in the portal and identity section.

Purpose

Credentials Used

Source

Source Port

Destination

CDN Provider(s)

Destination IP

Destination Port

Required: Authentication

See Office 365 portal and identity

Required: Portal

See Office 365 portal and identity

Required:Office Web Apps

Logged on user

Client Computer

Ephemeral ports

*.officeapps.live.com

None

See table below.

TCP 443

Required: Content Delivery Network for Office Web Apps

Logged on user

Client Computer

Ephemeral ports

*.cdn.office.net

Akamai

IP addresses not provided

TCP 443

Required: Certificate revocation lists

logged on user

Client Computer

Ephemeral ports

See well known certificate root CRLs in the table below.

None

IP addresses not provided

TCP 80 & 443

Office Web Apps uses the following IP ranges.

Office Web Apps IPv4 Addresses

Office Web Apps IPv6 Addresses

Well known certificate root FQDNs

23.101.60.234
23.102.157.61
23.103.183.0/26
104.46.60.252
134.170.27.64/26
134.170.48.0/26
134.170.65.64/26
134.170.128.192/26
134.170.170.64/26
191.232.2.64/26
2a01:111:f406:8800::/64
2a01:111:f406:400::/64
2a01:111:f406:1c01::/64
2a01:111:f406:9400::/64
2a01:111:f406:2402::/64
2a01:111:f406:a804::/64 
2a01:111:f406:b401::/64
crl.microsoft.com 
evsecure-ocsp.verisign.com
evsecure-aia.verisign.com
evsecure-crl.verisign.com
sa.symcb.com
sd.symcb.com
*.omniroot.com
*.verisign.com
*.symcb.com
*.symcd.com
*.verisign.net
*.geotrust.com
*.entrust.net
*.public-trust.com

(Back to top)

Office for iPad

This is the current list of Office for iPad URLs. If you’re using allow lists to filter iPad connectivity differently than other computers on your network, you can use just this list of URLs to create those allow lists.

Office for iPad URLs

directory.services.live.com
odc.officeapps.live.com
docs.live.net
roaming.officeapps.live.com
nexus.officeapps.live.com
sqm.microsoft.com
watson.telemetry.microsoft.com
login.live.com
wer.microsoft.com         
microsoft-my.sharepoint.com
login.microsoftonline.com
ms.tific.com
msft.sts.microsoft.com
p100-sandbox.itunes.apple.com
signup.live.com
auth.gfx.ms
view.atdmt.com
client.hip.live.com
dc2.client.hip.live.com
c.live.com
go.microsoft.com
office.microsoft.com
officeimg.vo.msecnd.net
m.webtrends.com
account.live.com
c.bing.com
partnerservices.getmicrosoftkey.com
client.hip.live.com
clientconfig.microsoftonline-p.net
cl2.apple.com
sas.office.microsoft.com
foodanddrink.services.appex.bing.com
en-US.appex-rf.msn.com
weather.tile.appex.bing.com

(Back to top)

Office Mobile

This is the current list of Office Mobile URLs. Office Mobile runs on Android devices, Windows Phones, and iPhones. If you’re filtering your mobile connectivity differently than other computers on your network, you can use just this list of URLs to create those allow lists.

Office Mobile URLs

office15client.microsoft.com
odc.officeapps.live.com
go.microsoft.com
login.microsoftonline.com
msft.sts.microsoft.com
odcsm.officeapps.live.com
microsoft-my.sharepoint.com
ms.tific.com
roaming.officeapps.live.com
o15.officeredir.microsoft.com
office.microsoft.com
officeimg.vo.msecnd.net
m.webtrends.com
d.docs.live.net
login.live.com
auth.gfx.ms
wer.microsoft.com
*.appex.bing.com
*.appex-rf.msn.com
appexsin.stb.s-msn.com

(Back to top)

Applies To: Office 365 Admin



Was this information helpful?

Yes No

How can we improve it?

255 characters remaining

To protect your privacy, please do not include contact information in your feedback. Review our privacy policy.

Thank you for your feedback!

Support resources

Change language