Office Support / Office 365 Admin / Setup

Office 365 URLs and IP address ranges

Summary   : Lists the endpoints (URLs and IP address ranges) used by Office 365 and provides links to the RSS feed to help you stay up-to-date on the latest changes.

If you are using Office 365 operated by 21Vianet in China, see URLs and IP address ranges for Office 365 operated by 21Vianet.

Subscribe via RSS RSS to receive notice when URLs and IP addresses are changed.

This article is part of Network planning and performance tuning for Office 365

If your organization restricts computers on your network from connecting to the Internet, this article lists the endpoints you should include in your outbound allow list to ensure your computers can successfully use Office 365. URL allow lists are the recommended approach due to the modern web architecture of Office 365. For guidance on how to best implement URL or IP allow lists, please work with the manufacturer of the hardware or software you use to protect your internet connection.

Already deployed Office 365 and troubleshooting connectivity issues? Check out our networking and performance planning page.

Warning   IP addresses filtering isn’t a complete solution.

Many Office 365 features rely on Microsoft and/or 3rd party Content Delivery Networks. We are unable to provide the IP addresses of those services. To understand more about CDNs and regional datacenters, please see our further explanation of Content delivery networks and Client connectivity. The following is a list of problems with filtering by IP address:

  • Web clients such as the Office 365 admin portal or Outlook Web App won’t be able to authenticate.

  • Updates will be required as frequently as weekly.

  • Certificate Revocation Lists (CRLs) are a required part of using Office 365 securely, IP addresses are unavailable for CRL endpoints.

  • Future non-web based clients may not be able to authenticate.

  • Additional Office 365 infrastructure won’t become instantly available to client computers.

  • There will be more emergency or retroactive updates

Some of our services do overlap with one another and you will notice the overlap or duplication in the lists of endpoints. There is also some domain name overlapping with our consumer services; while the root domain name is the same, Office 365 operates from a separate sub-domain.

If you’re going to add IP addresses to your allow lists, keep in mind that IPv6 is optional and not required. We provide it here for customers who wish to use IPv6.

Important   In most cases, updates are made to this page 14-30 days ahead of the end point being used. Occasionally emergency capacity will be added with a shorter notification window. We know this can be problematic and recommend using URL filtering instead of IP filtering to reduce the impact of these unavoidable emergencies. All notifications will be made via the RSS feed. You should subscribe to the feed in your favorite reader. Here is how to subscribe via Outlook or you can have the RSS feed updates emailed to you.

Want to access the IP addresses programmatically? We now offer all updates via XML.

Office 365 portal and identity

The endpoints listed in this section are only to support the portal and identity portion of Office 365. You’ll want to add these along with the endpoints for each of the workloads you’re deploying on your network.

If you want all URLs and IP addresses for Office 365 in one place, check out the new xml file.

If you’re using Active Directory Federation Services (AD FS) with your deployment, you can also use AD FS client access policies with Windows Server 2012 R2 or client access policies with AD FS 2.0 and to further restrict and control access to Office 365.

Purpose

Credentials Used

Source

Source Port

Destination

CDN Provider(s)

Destination IP

Destination Port

Office 365 Portal and help content

logged on user

Client Computer

TCP 49152 to 65535 (Ephemeral ports)

Portal.Office.com

Home.Office.com

*.office365.com

*.office.com

*.office.net

See row three and four

See tables below.

TCP 80 & 443

Authentication and support services

logged on user

Client Computer

TCP 49152 to 65535 (Ephemeral ports)

*.microsoftonline.com

*.microsoft.com

*.live.com

*.windows.net

See row three and four

See tables below.

TCP 80 & 443

CDNs used for portal and authentication

logged on user

Client Computer

TCP 49152 to 65535 (Ephemeral ports)

*.microsoftonline-p.com

*.microsoftonline-p.net

*.microsoftonlineimages.com

*.msecnd.net

Microsoft

IP addresses not provided

TCP 80 & 443

CDNs used for portal and authentication

logged on user

Client Computer

TCP 49152 to 65535 (Ephemeral ports)

*.msocdn.com

Akamai

IP addresses not provided

TCP 80 & 443

Default tenant namespace (mail routing, etc.)

logged on user

Client Computer

TCP 80, 25, & 443

*.onmicrosoft.com

Various

See tables below.

TCP 80, 25, & 443

Global DNS load balancing services

logged on user

Client Computer

TCP 80 & 443

*.glbdns.microsoft.com

None

IP addresses not provided

TCP 80 & 443

Microsoft Azure Active Directory

logged on user

Client Computer

TCP 49152 to 65535 (Ephemeral ports)

*.activedirectory.windowsazure.com

None

See tables below.

TCP 80 & 443

Microsoft Azure Active Directory (MFA)

logged on user

Client Computer

TCP 49152 to 65535 (Ephemeral ports)

*.phonefactor.net

None

See tables below.

TCP 80 & 443

Certificate revocation lists

logged on user

Client Computer

TCP 80 & 443

See well known certificate root CRLs in the table below.

None

IP addresses not provided

TCP 80 & 443

Optional: Azure Rights Management

logged on user

Client Computer

TCP 49152 to 65535 (Ephemeral ports)

*.aadrm.com

*.azurerms.com

*.cloudapp.net

None

IP addresses not provided

TCP 80 & 443

Optional: DirSync (legacy)

Machine^ and Service Account

DirSync Server

TCP 80 & 443

*.microsoftonline.com

*.windows.net

+Certificate Revocation Lists (see table below)

None

See tables below.

TCP 80 & 443

Optional: Azure AD Connect (recommended)

Service Account

Azure AD Connect Server

TCP 80 & 443

*.microsoftonline.com

*.windows.net

+Certificate Revocation Lists (see table below)

None

See tables below.

TCP 80 & 443

Optional: Azure AD Connect (w/SSO option) – WinRM & remote powershell

Service Account

Client Computer

TCP 80 & 443

Customer STS environment (AD FS Server and AD FS Proxy)

None

Customer environment

TCP 80 & 443

Optional: STS such as AD FS Proxy server(s) (for federated customers only)

None

Client Computer

TCP 443 or TCP 49443 w/ClientTLS

Customer STS (such as AD FS Proxy)

None

Customer environment

TCP 443 or TCP 49443 w/ClientTLS

Optional: AD FS Proxy server(s) (for federated customers only)

None

Customer AD FS Proxy (WAP)

TCP 443

Customer AD FS Server (FS)

None

Customer environment

TCP 443

Optional: Office 365 Management Pack for Operations Manager

Machine^ Account

Customer Operations Manager environment

TCP 80 & 443

office365servicehealthcommunications.cloudapp.net

None

IP addresses not provided

TCP 80 & 443

^Keep in mind that Machine accounts won’t work with proxies that require outbound authentication.

Portal and Identity uses the following IP ranges.

Office 365 IPv4 Addresses

Office 365 IPv6 Addresses

Certificate Revocation List (Root URLs)

23.96.208.238
23.97.64.252
23.97.66.55
23.97.66.110
23.97.68.113
23.97.70.147
23.97.72.158
23.97.72.161
23.97.72.165
23.97.98.128
23.97.99.4
23.97.99.164
23.97.100.76
23.97.100.92
23.97.100.105
23.97.100.152
23.97.102.90
23.97.103.118
23.97.139.122
23.97.145.9
23.97.148.36
23.97.148.228
23.97.152.190
23.98.66.168
23.98.69.116
23.98.70.90
23.99.121.207
23.99.128.120
23.99.129.26
23.99.129.173
23.99.193.105
23.99.194.77
23.99.196.232
23.99.226.167
23.99.227.124
23.100.86.91
23.101.14.229
23.101.19.99
23.101.25.224
23.101.30.126
23.101.178.227
23.101.187.91
23.102.4.253
23.102.64.16
23.102.64.138
23.102.64.255
23.102.65.171
23.102.65.203
23.102.65.221
23.102.155.140
65.52.26.28
65.52.64.61
65.52.64.230
65.52.129.119
65.52.136.224
65.52.144.125
65.52.148.27
65.52.160.218
65.52.176.72
65.52.184.75
65.52.196.64
65.52.209.62
65.52.228.75
65.52.228.99
65.52.228.100
65.52.232.52
65.52.233.128
65.52.236.160
65.52.240.73
65.52.240.200
65.52.244.66
65.54.54.32/27
65.54.55.201
65.54.74.0/23
65.54.80.0/20
65.54.165.0/25
65.55.86.0/23
65.55.233.0/27
65.55.239.168
70.37.56.152
70.37.81.47
70.37.97.234
70.37.128.0/23
70.37.142.0/23
70.37.150.128/25
70.37.159.0/24
70.37.160.72
70.37.160.202
94.245.68.0/22
94.245.82.0/23
94.245.84.0/24
94.245.86.0/24
94.245.88.223
94.245.88.194
94.245.117.53
94.245.108.85
104.41.1.233
104.43.140.223
104.45.11.195
104.45.214.112
104.46.50.125
104.209.190.8
104.210.4.77
104.210.40.87
104.215.198.144
111.221.16.0/21
111.221.24.0/21
111.221.70.0/25
111.221.71.0/25
111.221.104.43
111.221.111.196
111.221.127.112/28
132.245.0.0/16
134.170.0.0/16
137.135.47.6
137.135.47.4
137.135.47.28
137.116.32.43
137.116.32.61
137.116.32.101
137.116.48.66
137.116.48.69
137.116.49.27
137.116.49.210
137.116.64.35
137.116.64.162
137.116.65.59
137.116.66.126
137.116.80.106
137.116.81.187
137.116.129.62/32
137.116.242.169
137.117.99.175
137.117.103.21
137.117.146.106
137.117.198.210
137.135.41.12/32
137.135.42.195/32
137.135.43.100/32
137.135.44.5/32
137.135.44.73/32
137.135.48.128/32
137.135.60.254
137.135.160.110
138.91.1.59
138.91.2.208
138.91.2.210
138.91.2.212
138.91.17.43
138.91.17.108
138.91.18.52
138.91.64.46
138.91.246.237
157.55.45.128/25
157.55.59.128/25
157.55.80.41
157.55.80.94
157.55.80.175
157.55.80.182
157.55.84.13/32
157.55.84.19/32
157.55.84.80/32
157.55.84.237/32
157.55.130.0/25
157.55.145.0/25
157.55.155.0/25
157.55.161.59
157.55.161.75
157.55.168.18
157.55.168.184
157.55.176.63
157.55.177.39
157.55.184.223
157.55.185.100
157.55.194.46
157.55.208.58
157.55.208.198
157.55.208.218
157.55.227.192/26
157.55.252.101
157.56.0.0/16
157.56.8.78
157.56.28.192
157.56.162.166
168.61.32.214
168.61.33.178/32
168.61.35.252/32
168.61.36.121
168.61.37.63/32
168.61.38.105
168.61.39.14/32
168.61.82.81/32
168.61.83.48/32
168.61.85.180/32
168.61.85.193/32
168.61.144.76
168.61.208.197
168.62.4.28
168.62.4.48
168.62.11.24
168.62.11.117
168.62.16.112
168.62.16.140
168.62.16.149
168.62.16.252
168.62.24.38
168.62.24.104
168.62.24.114
168.62.24.150
168.62.29.225
168.62.41.25
168.62.42.89
168.62.43.8
168.62.52.198
168.62.52.203
168.62.56.108
168.62.60.71
168.62.60.80
168.62.104.146
168.62.105.126
168.62.105.217
168.62.106.152
168.62.176.34
168.62.179.4
168.62.180.151
168.62.202.67
168.62.204.209
168.63.16.66/32
168.63.16.112/32
168.63.16.114/32
168.63.16.141
168.63.17.108
168.63.17.221/32
168.63.18.131
168.63.25.227
168.63.27.2
168.63.29.74
168.63.52.117
168.63.92.133
168.63.138.56
168.63.139.159
168.63.152.235
168.63.166.200
168.63.165.67
168.63.164.177
168.63.172.54
168.63.173.188
168.63.208.73/32
168.63.213.203/32
168.63.213.238
168.63.214.35/32
168.63.216.117/32
168.63.250.173/32
168.63.252.39/32
168.63.252.62
168.63.252.71/32
191.232.2.128/25
191.233.32.111
191.233.32.201
191.233.37.141
191.234.6.0/24
191.234.55.177
191.235.135.139
191.235.135.222
191.236.155.80
191.236.192.179
191.237.128.159
191.237.218.239
191.238.80.160
191.238.80.241
191.238.81.69
191.238.83.220
191.238.160.173
191.238.177.236
191.238.224.150
191.239.64.124
191.239.64.125
191.239.64.129
191.239.64.130
191.239.64.131
191.239.64.132
191.239.64.133
191.239.64.134
191.239.160.4
191.239.160.93
191.239.160.143
191.239.160.140
191.239.160.144
191.239.160.145
191.239.160.141
191.239.160.142
207.46.57.128/25
207.46.70.0/24
207.46.73.250
207.46.129.169
207.46.198.0/25
207.46.206.0/23
207.46.216.54
213.199.128.58
213.199.128.91
213.199.128.119
213.199.132.97
213.199.148.0/23
213.199.182.128/25
2801:80:1d0:1c00::/64
2a01:111:f406:1000::/64
2a01:111:f406:1801::/64
2a01:111:f406:1::/64
2a01:111:f406:a003::/64
2a01:111:f100:1004::4134:f0c8
2603:1030:800:5::bfee:a0ad
2a01:111:f100:a001::a83f:5c85
2a01:111:f100:8001::d5c7:8077
2a01:111:f100:7000::6fdd:682b
2a01:111:f102:8001::1761:4237
crl.microsoft.com 
evsecure-ocsp.verisign.com
evsecure-aia.verisign.com
evsecure-crl.verisign.com
sa.symcb.com
sd.symcb.com
*.omniroot.com
*.verisign.com
*.symcb.com
*.symcd.com
*.verisign.net
*.geotrust.com
*.entrust.net
*.public-trust.com

(Back to top)

Exchange Online

If you have licensed Exchange Online as a standalone or as part of a suite, you must be able to reach the Office 365 portal and identity URLs as well as the Exchange Online URLs or IP addresses.

Exchange Online hybrid deployments and federated delegation scenarios require connectivity to the Azure Active Directory Authentication system. No additional endpoints are required for this beyond those included in the Exchange online and portal and identity sections. Here’s more detail about configuring federated sharing.

Purpose

Credentials Used

Source

Source Port

Destination

CDN Provider(s)

Destination IP

Destination Port

Authentication

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

Portal

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

Exchange Online Protection

See Exchange Online Protection (EOP)

See Exchange Online Protection (EOP)

See Exchange Online Protection (EOP)

See Exchange Online Protection (EOP)

See Exchange Online Protection (EOP)

See Exchange Online Protection (EOP)

See Exchange Online Protection (EOP)

Client SMTP Relay

Logged on user

Client Computer

TCP 587

smtp.office365.com

None

See table below.

TCP 587

Exchange Online

Logged on user

Client Computer

TCP 49152 to 65535 (Ephemeral ports)

outlook.office365.com

None

See table below.

TCP 80 & 443

Exchange Online

Logged on user

Client Computer

TCP 49152 to 65535 (Ephemeral ports)

r1.res.office365.com

Akamai

IP addresses not provided

TCP 80 & 443

Exchange Online

Logged on user

Client Computer

TCP 49152 to 65535 (Ephemeral ports)

r3.res.office365.com

Akamai

IP addresses not provided

TCP 80 & 443

Exchange Online

Logged on user

Client Computer

TCP 49152 to 65535 (Ephemeral ports)

r4.res.office365.com

Akamai

IP addresses not provided

TCP 80 & 443

Exchange Online

Logged on user

Client Computer

TCP 49152 to 65535 (Ephemeral ports)

*.outlook.com

None

See table below.

TCP 80 & 443

Certificate revocation lists

logged on user

Client Computer

TCP 80 & 443

See well known certificate root CRLs in the table below.

None

IP addresses not provided

TCP 80 & 443

Optional: Exchange Hybrid Only

Machine account^

Existing Exchange Client Access Servers

TCP 80 & 443

outlook.office365.com

None

See table below.

TCP 80 & 443

Optional: Exchange Online IMAP4 migration

N/A

IMAP4 Service

TCP 143/993

outlook.office365.com

None

See table below.

TCP 143/993

Optional: Exchange Online POP3 migration

N/A

POP3 Service

TCP 995

outlook.office365.com

None

See table below.

TCP 995

Optional: All other Exchange Online migration tools

N/A

Existing Exchange service (EWS or MRS)

TCP 80 & 443

outlook.office365.com

None

See table below.

TCP 80 & 443

^Keep in mind that Machine accounts won’t work with proxies that require outbound authentication.

Exchange Online uses the following IP ranges.

Exchange Online IPv4 Addresses

Exchange Online IP Addresses

Well known certificate root FQDNs

23.103.160.0/20
23.103.224.0/19
40.96.0.0/16
40.97.0.0/16
40.98.0.0/16
40.99.0.0/16
40.100.0.0/16
40.101.0.0/16
40.102.0.0/16
40.103.0.0/16
40.104.0.0/16
40.105.0.0/16
65.54.62.0/25
65.55.39.128/25
65.55.78.128/25
65.55.94.0/25
65.55.113.64/26
65.55.126.0/25
65.55.174.0/25
65.55.181.128/25
70.37.151.128/25
94.245.117.128/25
111.221.23.128/25
111.221.66.0/25
111.221.69.128/25
111.221.112.0/21
131.253.33.215
132.245.0.0/16
191.234.192.0/19
157.55.9.128/25
157.55.11.0/25
157.55.47.0/24
157.55.49.0/24
157.55.61.0/24
157.55.157.128/25
157.55.224.128/25
157.55.225.0/25
157.56.0.0/16
191.234.6.152
191.234.140.0/22
191.234.224.0/22
204.79.197.215
206.191.224.0/19
207.46.4.128/25
207.46.58.128/25
207.46.198.0/25
207.46.203.128/26
213.199.174.0/25
213.199.177.0/26
2a01:111:f400::/48
crl.microsoft.com 
evsecure-ocsp.verisign.com
evsecure-aia.verisign.com
evsecure-crl.verisign.com
sa.symcb.com
sd.symcb.com
*.omniroot.com
*.verisign.com
*.symcb.com
*.symcd.com
*.verisign.net
*.geotrust.com
*.entrust.net
*.public-trust.com

(Back to top)

Skype for Business

If you have licensed Skype for Business as a standalone or as part of a suite, you must be able to reach the Office 365 portal and identity URLs as well as the Skype for Business URLs or IP addresses. It’s also important to ensure you are able to reach the certificate root authorities as all Skype for Business communications are protected, you’ll find a partial list of possible root authorities client computers will need to be able to access.

Purpose

Credentials Used

Source

Source Port

Destination

CDN Provider(s)

Destination IP

Destination Port

Authentication

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

Portal

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

SIP signaling

Logged on user

Client Computer

TCP 49152 to 65535 (Ephemeral ports)

*.Lync.com

None

See table below.

TCP 443

Persistent Shared Object Model (PSOM) connections web conferencing

Logged on user

Client Computer

TCP 49152 to 65535 (Ephemeral ports)

*.Lync.com

None

See table below.

TCP 443

HTTPS downloads

Logged on user

Client Computer

TCP 49152 to 65535 (Ephemeral ports)

*.Lync.com

None

See table below.

TCP 443

Audio

Logged on user

Client Computer

TCP/UDP 50,000-50019

*.Lync.com

None

See table below.

TCP 443, UDP 3478, TCP/UDP 50,000-59,999

Video

Logged on user

Client Computer

TCP/UDP 50,020-50039

*.Lync.com

None

See table below.

TCP 443, UDP 3478, TCP/UDP 50,000-59,999

Desktop sharing

Logged on user

Client Computer

TCP/UDP 50,040-50059

*.Lync.com

None

See table below.

TCP 443, TCP 50,000-59,999

Lync Mobile push notifications for Lync Mobile 2010 on iOS devices. You don't need this for Android, Nokia Symbian or Windows Phone mobile devices.

Logged on user

Client Computer

TCP 49152 to 65535 (Ephemeral ports)

*.Lync.com

None

See table below.

TCP 5223

Certificate revocation lists

logged on user

Client Computer

TCP 80 & 443

See well known certificate root CRLs in the table below.

None

IP addresses not provided

TCP 80 & 443

Skype for Business uses the following IP ranges.

Skype for Business IPv4 Addresses

Skype for Business IPv6 Addresses

Well known certificate root FQDNs

23.103.128.0/25
23.103.128.128/25
23.103.129.0/25
23.103.129.128/25
23.103.130.0/26
23.103.130.64/26
23.103.130.128/26
23.103.130.192/26
23.103.176.128/26
23.103.176.192/27
23.103.178.128/26
23.103.178.192/27
40.110.0.0/16
65.55.121.128/27
65.55.127.0/24
66.119.157.0/25
66.119.157.192/26
66.119.158.0/25
111.221.17.128/27
111.221.22.64/26
111.221.76.96/27
111.221.76.128/25
111.221.77.0/26
132.245.0.0/24
132.245.1.0/25
132.245.112.0/24
132.245.113.0/25
132.245.128.0/24
132.245.129.0/25
132.245.161.0/24
132.245.162.0/25
132.245.192.0/24 
132.245.193.0/25
132.245.208.0/24
132.245.209.0/25
134.170.0.0/25
134.170.53.32/27
134.170.54.0/26
134.170.54.128/25
134.170.113.192/26
134.170.115.0/27
134.170.115.128/25
157.55.40.128/25
157.55.46.0/27
157.55.46.64/26
157.55.229.128/27
157.55.232.128/26
157.55.238.0/25
157.56.135.64/26
157.56.135.160/27
157.56.184.224/27
157.56.185.0/26
191.232.80.96/27
191.232.83.0/27
191.232.83.32/27
191.232.83.64/27
207.46.5.0/24
207.46.7.128/27
207.46.57.0/25
2a01:111:2035:6::/64
2a01:111:2035:7::/64
2a01:111:f404:8002::/64
2a01:111:f404:8003::/64
2a01:111:f404:0c06::/64
2a01:111:f404:0c07::/64
2a01:111:f406:402::/64
2a01:111:f406:403::/64
2a01:111:f404:9400::/64
2a01:111:f404:9401::/64
2a01:111:f406:2400::/64
2a01:111:f406:2401::/64
2a01:111:f404:a000::/64
2a01:111:f404:a001::/64
2a01:111:f404:a800::/64
2a01:111:f404:a801::/64
2a01:111:2035:6::/64
2a01:111:2035:7::/64
2a01:111:f404:3400::/64
2a01:111:f404:3401::/64
2a01:111:306:2::/64
2a01:111:2007:3::/64
2a01:111:6:4::/64
2a01:111:2046:4::/64
2a01:111:12:5::/64
2a01:111:2036:2::/64
2a01:111:307:2::/64
2a01:111:2034:2::/64
crl.microsoft.com 
evsecure-ocsp.verisign.com
evsecure-aia.verisign.com
evsecure-crl.verisign.com
sa.symcb.com
sd.symcb.com
*.omniroot.com
*.verisign.com
*.symcb.com
*.symcd.com
*.verisign.net
*.geotrust.com
*.entrust.net
*.public-trust.com

(Back to top)

SharePoint Online

If you have licensed SharePoint Online as a standalone or as part of a suite, you must be able to reach the Office 365 portal and identity URLs as well as the SharePoint Online URLs or IP addresses.

This list also applies to many of the new applications that are dependent on SharePoint Online, such as Power BI, Project Online, Delve, and Office 365 Video. The Yammer endpoints are listed separately.

Purpose

Credentials Used

Source

Source Port

Destination

CDN Provider(s)

Destination IP

Destination Port

Authentication

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

Portal

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

SharePoint Online and associated applications

Logged on user

Client Computer

TCP 49152 to 65535 (Ephemeral ports)

*.sharepoint.com

*.sharepointonline.com

Microsoft & Akamai

See table below. CDN IP addresses not provided.

TCP 80 & 443

SharePoint Online inbound mail

Logged on user

See table below.

TCP 25

Customer environment

None

Customer environment

TCP 25

Certificate revocation lists

logged on user

Client Computer

TCP 80 & 443

See well known certificate root CRLs in the table below.

None

IP addresses not provided

TCP 80 & 443

Optional: Required for OneNote notebooks

Logged on user

OneNote

TCP 49152 to 65535 (Ephemeral ports)

*.onenote.com

None

See table below.

TCP 443

Optional: Required for OneNote notebooks

Logged on user

OneNote

TCP 49152 to 65535 (Ephemeral ports)

cdn.onenote.net

Akamai

IP addresses not provided

TCP 443

Optional: Required for Delve

Logged on user

Client Computer

TCP 49152 to 65535 (Ephemeral ports)

r3.res.outlook.com

Akamai

IP addresses not provided

TCP 443

SharePoint Online uses the following IP ranges.

SharePoint Online IPv4 Addresses

SharePoint Online IPv6 Addresses

Well known certificate root FQDNs

40.108.0.0/16
40.109.0.0/16
42.159.34.0/27
42.159.38.0/23
42.159.162.0/27
42.159.166.0/23
65.52.45.0/24
65.55.22.32/27
70.37.151.64/27
94.245.113.160/27
104.146.0.0/15
111.221.17.160/27
111.221.20.128/25
111.221.22.32/27
111.221.22.192/27
111.221.64.160/27
111.221.67.0/25
134.170.200.0/21
134.170.208.0/21
134.177.0.0/16
137.116.50.49
157.55.43.32/27
157.55.46.128/27
157.55.56.0/27
157.55.62.96/27
157.55.62.128/27
157.55.103.0/27
157.55.144.64/26
157.55.145.192/27
157.55.147.0/27
157.55.151.192/27
157.55.152.128/25
157.55.153.0/27
157.55.153.64/26
157.55.154.64/27
157.55.225.160/27
157.55.225.224/27
157.55.227.128/27
157.55.229.0/25
157.55.229.160/27
157.55.231.32/27
157.55.232.0/27
157.55.235.64/27
157.55.238.128/27
157.56.24.128/27
157.56.48.0/27
157.56.80.128/27
157.56.81.192/26
157.56.113.0/27
157.56.132.128/26
157.56.150.32/27
168.61.25.60
191.232.0.0/23
191.234.8.0/21
191.234.76.0/23
191.234.128.0/21
191.234.144.0/20
191.234.148.0/22
191.234.152.0/23
191.234.192.0/19
191.234.208.0/23
191.235.0.0/20
207.46.203.128/27
213.199.179.0/27
2a01:111:f402::/48
2801:80:1d0:1400::/54
crl.microsoft.com 
evsecure-ocsp.verisign.com
evsecure-aia.verisign.com
evsecure-crl.verisign.com
sa.symcb.com
sd.symcb.com
*.omniroot.com
*.verisign.com
*.symcb.com
*.symcd.com
*.verisign.net
*.geotrust.com
*.entrust.net
*.public-trust.com

(Back to top)

Exchange Online Protection (EOP)

If you have licensed Exchange Online Protection (EOP) as a standalone or as part of a suite, you must be able to reach the Office 365 portal and identity URLs as well as the EOP IP addresses.

Purpose

Credentials Used

Source

Source Port

Destination

CDN Provider(s)

Destination IP

Destination Port

EOP

Logged on user

Client Computer

TCP 80 & 443

*.protection.outlook.com

None

See Exchange Online Protection IP Addresses

TCP 80 & 443

Send/receive email

N/A

Existing email environment

TCP 25 & 587

*.protection.outlook.com

None

See Exchange Online Protection IP Addresses

TCP 25 & 587

Send/receive email

N/A

*.protection.outlook.com

TCP 25 & 587

Existing email environment

None

See Exchange Online Protection IP Addresses

TCP 25 & 587

Office 365 remote analyzer tools

This list of IPv4 IP addresses is the current list required for the Office 365 remote analyzer tools.

Purpose

Credentials Used

Source

Source Port

Destination

CDN Provider(s)

Destination IP

Destination Port

Initiate connectivity tests.

Logged on user

Web browse

TCP 49152 to 65535 (Ephemeral ports)

testconnectivity.microsoft.com

testexchangeconnectivity.com

None

See table below.

TCP 80 & 443

Captcha & support services

Logged on user

Web browse

TCP 49152 to 65535 (Ephemeral ports)

client.hip.live.com

wu.client.hip.live.com

support.microsoft.com

None

IP addresses not provided

TCP 80 & 443

Execution of the tests selected by the customer.

Provided by customer on the testconnectivity website

testconnectivity.microsoft.com

TCP 49152 to 65535 (Ephemeral ports)

On-premises systems for email and collaboration.

None

Customer IP ranges

80, 443, 25, POP3 on (110, 995, or Custom), IMAP4 on (143, 993, or Custom)

Certificate revocation lists

logged on user

Client Computer

TCP 80 & 443

See well known certificate root CRLs in the table below.

None

IP addresses not provided

TCP 80 & 443

Office 365 remote analyzer tools use the following IP ranges.

Office 365 remote analyzer tools IP Addresses

Well known certificate root FQDNs

134.170.52.122 
134.170.52.123 
134.170.52.124 
157.56.138.141
157.56.138.142
157.56.138.143
crl.microsoft.com 
evsecure-ocsp.verisign.com
evsecure-aia.verisign.com
evsecure-crl.verisign.com
sa.symcb.com
sd.symcb.com
*.omniroot.com
*.verisign.com
*.symcb.com
*.symcd.com
*.verisign.net
*.geotrust.com
*.entrust.net
*.public-trust.com

(Back to top)

Yammer

This list of URLs and IPv4 IP subnet is the current list required for Yammer.

Purpose

Credentials Used

Source

Source Port

Destination

CDN Provider(s)

Destination IP

Destination Port

Authentication

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

Portal

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

Yammer

Logged on user

Client Computer

TCP 49152 to 65535 (Ephemeral ports)

*.assets-yammer.com

*.yammer.com

*.yammerusercontent.com

None

See table below.

TCP 80 & 443

Certificate revocation lists

logged on user

Client Computer

TCP 80 & 443

See well known certificate root CRLs in the table below.

None

IP addresses not provided

TCP 80 & 443

Optional: Document, video, & image storage/rendering

Logged on user

Client Computer

TCP 49152 to 65535 (Ephemeral ports)

ajax.googleapis.com

*.cloudfront.net

*.crocodoc.com

None

IP addresses not provided

TCP 443

Yammer uses the following IP ranges.

Yammer IPv4 Addresses

Well known certificate root FQDNs

134.170.148.0/22
crl.microsoft.com 
evsecure-ocsp.verisign.com
evsecure-aia.verisign.com
evsecure-crl.verisign.com
sa.symcb.com
sd.symcb.com
*.omniroot.com
*.verisign.com
*.symcb.com
*.symcd.com
*.verisign.net
*.geotrust.com
*.entrust.net
*.public-trust.com

(Back to top)

Office 365 ProPlus

Here is the current list of endpoints required for Office 365 ProPlus. If you’re interested in bypassing the CDN for your deployment, you can build an internal installation point.

Purpose

Credentials Used

Source

Source Port

Destination

CDN Provider(s)

Destination IP

Destination Port

This url is needed to renew the product key approximately every 30 days

Local system

Office client only

TCP 49152 to 65535 (Ephemeral ports)

activation.sls.microsoft.com

None

See table below.

TCP 443

This URL is required to validate certificates during activation

Local system

Office client only

TCP 49152 to 65535 (Ephemeral ports)

crl.microsoft.com

None

IP addresses not provided.

TCP 80 & 443

Required for identity and configuration services

Local system

Office client only

TCP 49152 to 65535 (Ephemeral ports)

odc.officeapps.live.com

clientconfig.microsoftonline-p.net

Microsoft & Akamai

See table below. CDN IP addresses not provided.

TCP 443

This URL is the Office Licensing Service, which is used during activation and subscription maintenance

Local system

Office client only

TCP 49152 to 65535 (Ephemeral ports)

ols.officeapps.live.com

Microsoft & Akamai

See table below. CDN IP addresses not provided.

TCP 443

Required for redirection services during initial Office activation and Office license heartbeat.

Local system

Office client only

TCP 80 & 443

office15client.microsoft.com

Microsoft & Akamai

See table below. CDN IP addresses not provided.

TCP 443

Required to authenticate the users identity (Org Id) during initial Office entitlement check. After initial activation, not used unless re-entitlement check is required.

Logged on user

Office client only

TCP 49152 to 65535 (Ephemeral ports)

login.windows.net

login.microsoftonline.com

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

Contains Office 365 ProPlus source media used for installation and/or updates. If automatic updates are configured in the default settings, the local system account is used when downloading updates.

Logged on user

Office client only

TCP 49152 to 65535 (Ephemeral ports)

officecdn.microsoft.com

Microsoft & Akamai

IP addresses not provided

TCP 80

This URL is used to redirect to web content such as online help and error code information.

Logged on user

Office client only

TCP 49152 to 65535 (Ephemeral ports)

go.microsoft.com

Microsoft & Akamai

IP addresses not provided

TCP 80

Office 365 ProPlus uses the following IP ranges.

Office 365 ProPlus IPv4 Addresses

65.52.98.231
104.40.234.17
104.210.220.25
157.55.44.71
157.55.160.109
157.55.192.81
168.62.30.34 
191.236.108.93
191.236.157.212

(Back to top)

Office Online

This list of IP addresses is the current list required for Office Web Apps. does not have additional URLs beyond those included in the portal and identity section.

Purpose

Credentials Used

Source

Source Port

Destination

CDN Provider(s)

Destination IP

Destination Port

Authentication

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

Portal

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

See Office 365 portal and identity

Office Web Apps

Logged on user

Client Computer

TCP 49152 to 65535 (Ephemeral ports)

*.officeapps.live.com

None

See table below.

TCP 443

Content Delivery Network for Office Web Apps

Logged on user

Client Computer

TCP 49152 to 65535 (Ephemeral ports)

*.cdn.office.net

Akamai

IP addresses not provided

TCP 443

Certificate revocation lists

logged on user

Client Computer

TCP 80 & 443

See well known certificate root CRLs in the table below.

None

IP addresses not provided

TCP 80 & 443

Office Web Apps uses the following IP ranges.

Office Web Apps IPv4 Addresses

Office Web Apps IPv6 Addresses

Well known certificate root FQDNs

23.101.60.234
23.102.157.61
23.103.183.0/26
104.46.60.252
134.170.27.64/26
134.170.48.0/26
134.170.65.64/26
134.170.128.192/26
134.170.170.64/26
191.232.2.64/26
2a01:111:f406:8800::/64
2a01:111:f406:400::/64
2a01:111:f406:1c01::/64
2a01:111:f406:9400::/64
2a01:111:f406:2402::/64
2a01:111:f406:a804::/64 
2a01:111:f406:b401::/64
crl.microsoft.com 
evsecure-ocsp.verisign.com
evsecure-aia.verisign.com
evsecure-crl.verisign.com
sa.symcb.com
sd.symcb.com
*.omniroot.com
*.verisign.com
*.symcb.com
*.symcd.com
*.verisign.net
*.geotrust.com
*.entrust.net
*.public-trust.com

(Back to top)

Office for iPad

This is the current list of Office for iPad URLs. If you’re using allow lists to filter iPad connectivity differently than other computers on your network, you can use just this list of URLs to create those allow lists.

Office for iPad URLs

(Back to top)

Office Mobile

This is the current list of Office Mobile URLs. Office Mobile runs on Android devices, Windows Phones, and iPhones. If you’re filtering your mobile connectivity differently than other computers on your network, you can use just this list of URLs to create those allow lists.

Office Mobile URLs

office15client.microsoft.com
odc.officeapps.live.com
go.microsoft.com
login.microsoftonline.com
msft.sts.microsoft.com
odcsm.officeapps.live.com
microsoft-my.sharepoint.com
ms.tific.com
roaming.officeapps.live.com
o15.officeredir.microsoft.com
office.microsoft.com
officeimg.vo.msecnd.net
m.webtrends.com
d.docs.live.net
login.live.com
auth.gfx.ms
wer.microsoft.com
*.appex.bing.com
*.appex-rf.msn.com
appexsin.stb.s-msn.com

(Back to top)

Applies To: Office 365 Admin



Was this information helpful?

Yes No

How can we improve it?

255 characters remaining

To protect your privacy, please do not include contact information in your feedback. Review our privacy policy.

Thank you for your feedback!

Support resources

Change language