Office 365 URLs and IP address ranges

Summary:    Office 365 requires connectivity to the Internet. The endpoints below should be reachable for customers using Office 365 plans, including Government Community Cloud (GCC).

Office 365 Worldwide (+GCC) | Office 365 operated by 21 Vianet | Office 365 Germany | Office 365 U.S. Government DoD | Office 365 U.S. Government GCC High |

Last updated: 9/29/2017 - RSS Change Log subscription

Download: the full list in XML format

Use: our proxy PAC files

Start with managing Office 365 endpoints to understand our recommendations. Except for emergency changes, endpoints are updated at the end of each month.

Please read each service introduction for more info. Wildcards represent all levels under the root domain and we use N/A when information is not available. Destinations are listed with FQDN/domain only, CIDR prefixes only, or a pairing of FQDNs that represent specific CIDR prefixes along with port information. Use our PAC files to implement the principles below.

  • Bypass your proxy for all FQDN/CIDR paired and CIDR prefix only destinations, such as row 2 and 3 in portal and shared.

  • Bypass your proxy or remove inspection, authentication, reputation lookup services for any FQDNs marked required without a CIDR prefix, such as row 5 in portal and shared.

  • For any remaining optional FQDNs, wildcards, DNS, CDN, CRL, or other unpublished destinations requested by Office 365 services, ensure clients can access them over the Internet.

Available over Internet & ExpressRoute circuits: shared services | authentication | Office Online | Exchange Online | Exchange Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics CRM IP | Dynamics CRM URI | Power BI

Available over Internet circuits only: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients | Microsoft Intune | Microsoft PowerApps | Microsoft Flow

Office 365 portal and shared

Every Office 365 service depends on the required endpoints in the Office 365 portal and shared and Office 365 authentication and identity sections to function. To use any Office 365 services, you must be able to connect to the endpoints marked required in the table below.

Portal and shared FQDNs

Office 365 shared services are requested from browsers, clients, and servers and requires the authenticated user to be passed. Destinations with a yes in the ExpressRoute for Office 365 BGP Communities column are advertised over ExpressRoute and the Internet.

Row

Purpose

Destination

ExpressRoute for Office 365 BGP Communities

CIDR Address

Port

1

Required: Internet egress and DNS resolution as close to the user as possible. Ensure public resources such as certificate revocation lists are accessible.

see well known certificate root CRLs in the table below. and Office 365 certificate chains for more information.

no

N/A

TCP 80 & 443

2

Required: Office 365 portal

*.office365.com

no2

portal and shared IP ranges

TCP 443

3

Required: Office 365 portal and shared infrastructure (including Cloud App Security and Delve)

*.portal.cloudappsecurity.com
<tenant>.onmicrosoft.com
account.office.net
agent.office.net
apc.delve.office.com
aus.delve.office.com
can.delve.office.com
delve.office.com
eur.delve.office.com
gbr.delve.office.com
home.office.com
ind.delve.office.com
jpn.delve.office.com
kor.delve.office.com
lam.delve.office.com
nam.delve.office.com
portal.office.com
outlook.office365.com
suite.office.net
www.office.com

yes

portal and shared IP ranges & Exchange Online IP ranges.

TCP 443

4

Required: Office 365 portal (including shared telemetry)

portal.microsoftonline.com
clientlog.portal.office.com
nexus.officeapps.live.com
nexusrules.officeapps.live.com

no

portal and shared IP ranges - Internet-only IPs..

TCP 443

5

Required: shared infrastructure, help, and CDNs

amp.azure.net
auth.gfx.ms
appsforoffice.microsoft.com
assets.onestore.ms
az826701.vo.msecnd.net
browser.pipe.aria.microsoft.com
c.microsoft.com
c1.microsoft.com
client.hip.live.com
contentstorage.osi.office.net
dgps.support.microsoft.com
docs.microsoft.com
groupsapi-prod.outlookgroups.ms
groupsapi2-prod.outlookgroups.ms
groupsapi3-prod.outlookgroups.ms
groupsapi4-prod.outlookgroups.ms
mobile.pipe.aria.microsoft.com
msdn.microsoft.com
platform.linkedin.com
products.office.com
prod.msocdn.com
r1.res.office365.com
r4.res.office365.com
res.delve.office.com
shellprod.msocdn.com
support.content.office.net
support.microsoft.com
support.office.com
technet.microsoft.com
templates.office.com
video.osi.office.net
videocontent.osi.office.net
videoplayercdn.osi.office.net

no

N/A

TCP 443

6

Required: Security and Compliance Center including audit APIs

*.manage.office.com
*.protection.office.com
manage.office.com
protection.office.com

yes

portal and shared IP ranges

TCP 443

7

Optional: Security and Compliance Center advanced eDiscovery.

equivioprod*.cloudapp.net
equivio.office.com
office365zoom.cloudapp.net
zoom-cs-prod*.cloudapp.net

no

N/A

TCP 443

8

Optional: Security and Compliance Center eDiscovery export

*.blob.core.windows.net

no

N/A

TCP 443

9

Optional: 3rd party office integration. (including CDNs)

*.helpshift.com
*.localytics.com
analytics.localytics.com
api.localytics.com
connect.facebook.net
firstpartyapps.oaspapps.com
outlook.uservoice.com
prod.firstpartyapps.oaspapps.com.akadns.net
rink.hockeyapp.net
sdk.hockeyapp.net
telemetryservice.firstpartyapps.oaspapps.com
web.localytics.com
webanalytics.localytics.com
wus-firstpartyapps.oaspapps.com

no

N/A

TCP 443

10

Optional: some Office 365 features require endpoints within these domains. (including CDNs)

Note: Many specific FQDNs within these wildcards have been published recently as we work to either remove or better explain our guidance relating to these wildcards.

*.microsoft.com
*.msocdn.com
*.office.com
*.office.net
*.onmicrosoft.com

no2

N/A

TCP 80 & 443

11

Optional: Microsoft Azure RemoteApp

liverdcxstorage.blob.core.windowsazure.com
telemetry.remoteapp.windowsazure.com
vortex.data.microsoft.com
www.remoteapp.windowsazure.com

no

N/A

TCP 443

12

Optional:

*.aria.microsoft.com
*.blob.core.windows.net
*.hockeyapp.net
*.sharepointonline.com
*.staffhub.office.com
api.office.com
enterpriseregistration.windows.net
dc.applicationinsights.microsoft.com
dc.services.visualstudio.com
forms.microsoft.com
forms.office.com
graph.microsoft.com
graph.windows.net
manage.office.com
mem.gfx.ms
office365servicehealthcommunications.cloudapp.net
securescore.office.com
signup.microsoft.com
staffhub.ms
staffhubweb.azureedge.net
staffhub.office.com
staffhub.uservoice.com
weu-000.forms.osi.office.net
wus-000.forms.osi.office.net
neu-000.forms.osi.office.net
eus2-000.forms.osi.office.net
ea-000.forms.osi.office.net
watson.telemetry.microsoft.com
wu.client.hip.live.com

no

N/A

TCP 443

13

Optional: Import Service for PST and file ingestion

refer to the Import Service for additional requirements.

14

Optional: Remote Connectivity Analyzer - Initiate connectivity tests.

testconnectivity.microsoft.com

no

13.67.59.89/32
40.69.150.142/32
40.85.91.8/32
104.211.54.99/32
104.211.54.134/32

TCP 80 & 443

15

Optional: Remote Connectivity Analyzer - Execution of the tests selected by the customer.

source of network requests: testconnectivity.microsoft.com

on-premises systems for email and collaboration.

no

customer IP ranges

80, 443, 25, POP3 on (110, 995, or Custom), IMAP4 on (143, 993, or Custom)

16

Optional: Microsoft Support and Recover Assistant for Office 365 - validate single sign-on user credentials. Source:

  • o365diagnosticsbasic-eus.cloudapp.net (104.211.54.99)

  • o365diagnosticworker-eus.cloudapp.net (104.211.54.134)

on-premises STS

no

customer IP ranges

customer configurable. Typically TCP 443

17

Optional: FastTrack network testing

ap1-fasttrack.cloudapp.net
em1-fasttrack.cloudapp.net
na1-fasttrack.cloudapp.net

no

N/A

TCP 80 & 443

1Keep in mind that Machine accounts won’t work with proxies that require outbound authentication.

2 There are specific sub-FQDNs within this domain that are available on ExpressRoute, learn more by reading the section, Deciding which applications and features route over ExpressRoute.

Note: The domains and nodes that the wildcards such as *.office365.com & *.portal.cloudappsecurity.com represent are a list of application, functional, and regional domains and nodes used for the Office 365 suite. Some are dynamically assigned and all of these sub-domains and nodes are subject to change at any time as the service improves. Other wildcards such as *.office.com, *.office.net, *.onmicrosoft.com, *.microsoft.com, & *.msocdn.com are used to capture the long list of shared Microsoft-wide services that Office 365 relies on at times and can be treated as general Internet traffic where a specific FQDN is not defined. The wildcards used in the advanced eDiscovery service such as equivioprod*.cloudapp.net and zoom-cs-prod*.cloudapp.net represent a long list of FQDNs such as equivioprod-4.cloudapp.net.

Office 365 portal and shared IPv4 endpoints routable through the Internet and ExpressRoute

Office 365 portal and shared IPv4 endpoints routable through the Internet only

Office 365 portal and shared IPv6 endpoints routable through the Internet only

13.65.240.22/32
13.66.58.59/32
13.70.156.206/32
13.71.145.114/32
13.71.145.122/32
13.71.151.88/32
13.75.149.223/32
13.78.120.69/32
13.78.120.70/32
13.78.120.99/32
13.78.122.54/32
13.80.22.71/32
13.80.125.22/32
13.84.178.101/32
13.84.216.209/32
13.84.219.100/32
13.84.222.249/32
13.87.36.128/32
13.88.17.54/32
13.91.91.243/32
13.92.181.66/32
13.92.236.241/32
13.93.164.45/32
13.95.29.177/32
13.95.30.46/32
13.107.6.156/31
13.107.7.190/31
13.107.9.156/31
23.96.32.105/32
23.96.251.50/32
23.96.253.65/32
23.97.66.55/32
23.97.78.94/32
23.99.121.16/32
23.99.125.4/32
40.69.185.117/32
40.71.88.196/32
40.76.54.117/32
40.83.120.174/32
40.83.127.89/32
40.83.185.155/32
40.83.185.230/32
40.84.145.72/32
40.112.144.173/32
40.112.187.89/32
40.113.91.234/32
40.117.96.104/32
40.117.100.187/32
40.117.229.133/32
40.117.229.194/32
40.124.8.53/32
51.140.45.81/32
51.140.226.217/32
51.142.213.184/32
52.163.58.153/32
52.163.93.38/32
52.164.121.65/32
52.164.124.124/32
52.164.127.6/32
52.168.128.89/32
52.172.49.206/32
52.174.56.180/32
52.175.154.183/32
52.175.158.8/32
52.178.27.129/32
52.178.144.25/32
52.178.146.3/32
52.178.146.67/32
52.178.150.186/32
52.183.75.62/32
52.185.154.106/32
52.187.42.197/32
52.187.78.144/32
52.225.223.43/32
52.228.36.141/32
52.230.24.83/32
52.231.24.115/32
52.231.204.153/32
52.232.112.133/32
52.232.118.68/32
52.232.129.232/32
65.52.144.46/32
65.52.176.186/32
65.52.192.203/32
65.52.220.46/32
65.52.240.200/32
65.55.239.168/32
70.37.96.155/32
94.245.88.28/32
94.245.117.53/32
104.40.178.127/32
104.40.179.160/32
104.40.211.46/32
104.42.225.143/32
104.42.230.91/32
104.43.21.58/32
104.45.225.7/32
104.47.156.62/32
104.211.160.244/32
104.214.107.57/32
104.214.144.62/32
104.214.144.252/32
104.214.145.126/32
104.214.145.173/32
104.214.146.199/32
111.221.96.149/32
111.221.104.43/32
137.116.156.3/32
137.116.248.150/32
137.117.17.124/32
138.91.61.107/32
157.55.139.177/32
157.55.145.0/25
157.55.155.0/25
157.55.212.37/32
157.55.227.192/26
168.61.149.234/32
168.62.104.83/32
168.62.106.224/32
168.63.92.133/32
191.235.95.142/32
191.238.160.173/32
207.46.73.250/32
207.46.140.244/32
207.46.141.38/32
207.46.156.124/32
207.46.216.54/32
213.199.128.119/32
13.64.196.27/32
13.64.198.19/32
13.64.198.97/32
13.64.199.41/32
13.76.218.117/32
13.76.219.191/32
13.76.219.210/32
13.91.61.249/32
13.91.98.185/32
13.93.216.68/32
13.93.233.42/32
23.97.61.137/32
23.97.150.21/32
23.97.152.190/32
23.97.209.97/32
23.99.109.44/32
23.99.109.64/32
23.99.116.116/32
23.99.121.207/32
23.100.86.91/32
23.101.14.229/32
23.101.30.126/32
23.102.4.253/32
40.76.1.176/32
40.76.8.142/32
40.76.12.4/32
40.76.12.162/32
40.113.8.255/32
40.113.10.78/32
40.113.11.93/32
40.113.14.159/32
40.117.144.240/32
40.117.151.29/32
40.118.211.172/32
40.121.144.182/32
40.122.168.103/32
65.52.148.27/32
65.52.160.218/32
65.52.184.75/32
65.52.196.64/32
70.37.97.234/32
94.245.108.85/32
104.41.207.73/32
104.42.231.28/32
104.43.140.223/32
104.45.11.195/32
104.46.38.64/32
104.46.50.125/32
104.209.35.177/32
104.215.146.200/32
104.215.198.144/32
111.221.111.196/32
137.116.66.126/32
137.116.81.187/32
157.55.177.39/32
157.55.184.223/32
157.55.80.94/32
168.61.146.25/32
168.61.149.17/32
168.61.170.80/32
168.61.172.71/32
168.62.204.209/32
168.62.29.225/32
168.62.43.8/32
168.63.18.79/32
168.63.29.74/32
168.63.100.61/32
168.63.138.56/32
168.63.172.54/32
168.63.213.238/32
191.237.218.239/32
207.46.134.255/32
207.46.153.155/32
2603:1020:200::682f:a1d8/128
2603:1020:201::3c4/128
2603:1030:603::6a/128
2603:1030:603::72/128
2603:1030:a02::118/128
2603:1040:200::111/128
2603:1040:400::5d/128
2603:1040:400::5e/128
2603:1040:400::7b/128
2603:1040:401::c/128
2603:1040:601::2f/128
2603:1040:601::1e7/128
2801:80:1d0:1c00::/64
2a01:111:2003::/48
2a01:111:200a:a::/64
2a01:111:202c::/48
2a01:111:202e::/48
2a01:111:202e::190/128
2a01:111:202e::191/128
2a01:111:202e::156/128
2a01:111:202d::/48
2a01:111:2035:8::/64
2a01:111:f100:8000::4134:902e/128
2a01:111:f100:6000::4134:b0ba/128
2a01:111:f100:1002::4134:c0cb/128
2a01:111:f100:1002::4134:c440/128
2a01:111:f100:1002::4134:d9ee/128
2a01:111:f100:1004::4134:f0c8/128
2a01:111:f100:2002::8975:2c33/128
2a01:111:f100:2002::8975:2d11/128
2a01:111:f100:2002::8975:2d43/128
2a01:111:f100:2002::8975:2d98/128
2a01:111:f100:3002::8987:320c/128
2a01:111:f100:3002::8987:342a/128
2a01:111:f100:3002::8987:3552/128
2a01:111:f100:4001::4625:609b/128
2a01:111:f100:4001::4625:61ea/128
2a01:111:f100:4001::4625:a1e3/128
2a01:111:f100:4001::4625:a1e8/128
2a01:111:f100:4001::4625:a248/128
2a01:111:f100:6000::4134:b84b/128
2a01:111:f100:7000::6fdd:682b/128
2a01:111:f100:7000::6fdd:6b20/128
2a01:111:f100:7000::6fdd:6b76/128
2a01:111:f100:7000::6fdd:6fc4/128
2a01:111:f100:8000::4134:941b/128
2a01:111:f100:8001::d5c7:8077/128
2a01:111:f100:a000::5ef5:581c/128
2a01:111:f100:a000::5ef5:6c55/128
2a01:111:f100:7000::6fdd:6095/128
2a01:111:f100:a001::a83f:5c85/128
2a01:111:f100:a004::bfeb:8c89/128
2a01:111:f100:a004::bfeb:8deb/128
2a01:111:f102:8001::1761:4237/128
2a01:111:f102:8001::1761:4daf/128
2a01:111:f406:1::/64
2a01:111:f406:1000::/64
2a01:111:f406:1004::/64
2a01:111:f406:1801::/64
2a01:111:f406:1805::/64
2a01:111:f406:3404::/64
2A01:111:F406:8000::/64
2a01:111:f406:8801::/64
2a01:111:f406:a003::/64
2a01:111:f406:c00::/64
2a01:111:f100:1002::4134:d93c/128
2a01:111:f100:4001::4625:a4b4/128
2a01:111:f100:a004::bfeb:8cb8/128
2603:1020:201::5f2/128
2a01:111:f100:7000::6fdd:6bc2/128
2a01:111:f100:7000::6fdd:699d/128
2a01:111:f102:8001::1761:4f8a/128
2a01:111:f100:3002::8987:358e/128
2a01:111:f100:2002::8975:2cbc/128
2603:1030:603::5e0/128
2603:1040:200::4a9/128
2603:1040:601::4e/128
2603:1040:401::57/128
2603:1030:603::4ed/128
2a01:111:f100:a004::bfeb:8a37/128
2a01:111:f100:a004::bfeb:8872/128
2a01:111:f100:4001::4625:a3b3/128
2a01:111:f100:7000::6fdd:6a4e/128
2a01:111:f100:2002::8975:2db9/128
2603:1030:a02::5f9/128
2603:1040:200::419/128
2603:1020:201::142/128
2603:1020:201::265/128
2603:1020:300::33/128
2603:1020:400::26/128
2603:1040:400::715/128
2603:1040:601::281/128

The endpoints listed in this section are required if you're using Azure Rights Management. Requests originate from browsers, clients, and servers and requires the authenticated user to be passed. In addition to the suite-wide FQDNs, CDNs, and telemetry listed above, you'll need to also add these endpoints. Azure RMS requires port 443 for all communications, does not rely on CDNs, has no published IP addresses, and is not accessible over ExpressRoute for Office 365.

Row

Purpose

Destination

1

Required: suite-wide services

see Office 365 required entries for shared services and authentication

2

Required: Azure Rights Management (RMS)

*.aadrm.com
*.azurerms.com
ecn.dev.virtualearth.net

3

Required: Azure Rights Management (RMS)

*.cloudapp.net1

4

Optional: Rights Management connector

Source of network requests: On-premises server

*.aadrm.com

1Azure Rights Management Office 2010 Clients Only.

Note: The domains and nodes that the wildcards such as *.aadrm.com & *.azurerms.com represent are a list of application, functional, and regional domains and nodes used for rights management functionality. Some are dynamically assigned and all of these sub-domains and nodes are subject to change at any time as the service improves.

See our article on the Office 365 certificate chains for a more detailed view of the certificate chains including downloadable p7b.

Office 365 Certificate Revocation List (Root URLs)

*.entrust.net
*.geotrust.com
*.omniroot.com
*.public-trust.com
*.symcb.com
*.symcd.com
*.verisign.com
*.verisign.net
aia.entrust.net
apps.identrust.com
cacert.a.omniroot.com
cacert.omniroot.com
cacerts.digicert.com
cdp1.public-trust.com
cert.int-x3.letsencrypt.org
crl.entrust.net
crl.globalsign.com
crl.globalsign.net
crl.identrust.com
crl.microsoft.com
crl3.digicert.com
crl4.digicert.com
EVIntl-aia.verisign.com
EVIntl-crl.verisign.com
EVIntl-ocsp.verisign.com
evsecure-aia.verisign.com
EVSecure-crl.verisign.com
EVSecure-ocsp.verisign.com
isrg.trustid.ocsp.identrust.com
mscrl.microsoft.com
ocsp.digicert.com
ocsp.entrust.net
ocsp.globalsign.com
ocsp.int-x3.letsencrypt.org
ocsp.msocsp.com
ocsp.omniroot.com
ocsp2.globalsign.com
ocspx.digicert.com
s1.symcb.com
s2.symcb.com
sa.symcb.com
sd.symcb.com
secure.globalsign.com
sr.symcb.com
sr.symcd.com
su.symcb.com
su.symcd.com
vassg142.crl.omniroot.com
vassg142.ocsp.omniroot.com
www.digicert.com
www.microsoft.com

Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics CRM IP | Dynamics CRM URI | Power BI

Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients | Microsoft Intune | Microsoft PowerApps | Microsoft Flow

<Back to top>

Office 365 authentication and identity

Every Office 365 service depends on the required endpoints in the Office 365 portal and shared and Office 365 authentication and identity sections to function. To use any Office 365 services, you must be able to connect to the endpoints marked required in the table below. If your organization uses Azure AD Connect AAD Connect, AD FS, or Multi-factor authentication, you'll find the associated endpoints below. All IP addresses entered directly in the Destination IP column are also listed in the IP tables and XML file for your convenience.

Authentication and identity FQDNs

If you’re using Active Directory Federation Services (AD FS) with your deployment, you can also use AD FS client access policies with Windows Server 2012 R2 or client access policies with AD FS 2.0 to further restrict and control access to Office 365. Destinations with a yes in the ExpressRoute for Office 365 BGP Communities column are advertised over ExpressRoute and the Internet.

The FQDN secure.aadcdn.microsoftonline-p.com needs to be in your client's IE Trusted Sites Zone to function.

Row

Purpose

Source | Credentials

Destination

ExpressRoute for Office 365 BGP Communities

CIDR Address

Port

1

Required: Certificate revocation lists

see the well known certificate root CRLs.

2

Required: authentication and identity

client or server / logged on user

api.login.microsoftonline.com
clientconfig.microsoftonline-p.net
device.login.microsoftonline.com
hip.microsoftonline-p.net
hipservice.microsoftonline.com
login.microsoft.com
login.microsoftonline.com
logincert.microsoftonline.com
loginex.microsoftonline.com
login-us.microsoftonline.com
login.microsoftonline-p.com
nexus.microsoftonline-p.com
stamp2.login.microsoftonline.com
login.windows.net

yes

Authentication and Identity IP ranges

TCP 80 & 443

3

Required: authentication and identity

client or server / logged on user

ccs.login.microsoftonline.com
ccs-sdf.login.microsoftonline.com

yes

Exchange Online IP ranges

TCP 80 & 443

4

Required: authentication and identity

client or server / logged on user

accounts.accesscontrol.windows.net
secure.aadcdn.microsoftonline-p.com

no

N/A

TCP 443

5

Optional: Legacy/temporary FQDNs (including CDNs)

client or server / logged on user

.msecnd.net
*.microsoftonline.com
*.microsoftonline-p.com
*.microsoftonline-p.net
*.windows.net

no

N/A

TCP 443

6

Optional: Multi-factor authentication (MFA)

client or server / logged on user

account.activedirectory.windowsazure.com
secure.aadcdn.microsoftonline-p.com

no

Microsoft Azure Active Directory (MFA) IP and FQDNs

TCP 443

7

Optional: Azure AD Connect and DirSync

Azure AD Connect server | Service Account

adminwebservice.microsoftonline.com
login.windows.net
provisioningapi.microsoftonline.com

yes

Authentication and Identity IP ranges

TCP 443

8

Optional: Azure AD Connect and DirSync

Azure AD Connect server | Service Account

*.microsoftonline.com
mscrl.microsoft.com
secure.aadcdn.microsoftonline-p.com

no

N/A

TCP 80 & 443

9

Optional: Azure AD Connect (w/SSO option) – WinRM & remote powershell

lient or server / logged on user

customer STS environment (AD FS Server and AD FS Proxy) | Ports TCP 80 & 443

no

customer environment

TCP 80 & 443

10

Optional: STS such as AD FS Proxy server(s) (for federated customers only)

client or server / N/A

customer STS (such as AD FS Proxy) | Ports TCP 443 or TCP 49443 w/ClientTLS

no

customer environment

TCP 443 or TCP 49443 w/ClientTLS

11

Optional: AD FS Proxy server(s) (for federated customers only)

customer AD FS Proxy (WAP) | N/A

customer AD FS server (FS) | Port TCP 443

no

customer environment

TCP 443

12

Optional: Azure AD Connect Health (including CDNs)

Azure AD Connect Health server | Service Account

*.adhybridhealth.azure.com
*.blob.core.windows.net
*.table.core.windows.net
*.queue.core.windows.net
management.azure.com
policykeyservice.dc.ad.msft.net
secure.aadcdn.microsoftonline-p.com

*.servicebus.windows.net - Port: 5671 (If 5671 is blocked, agent falls back to 443, but using 5671 is recommended.)

no

N/A

TCP 443

13

Optional: Azure AD Connect Health

Azure AD Connect Health server | Service Account

login.microsoftonline.com
login.windows.net

yes

Authentication and Identity IP ranges

TCP 443

Note: The sub-FQDN login.windows.net is advertised via Expressroute and included in the office 365 BGP communities. Also keep in mind that Machine accounts won’t work with proxies that require outbound authentication.

Office 365 authentication and identity IPv4 endpoints routable through the Internet and ExpressRoute

Office 365 authentication and identity IPv6 endpoints routable through the Internet only

13.67.50.224/29
13.71.201.64/26
13.106.4.128/25
13.75.48.16/29
13.75.80.16/29
13.106.56.0/25
23.100.16.168/29
23.100.32.136/29
23.100.64.24/29
23.100.72.32/29
23.100.80.64/29
23.100.88.32/29
23.100.101.112/28
23.100.104.16/28
23.100.112.64/29
23.100.120.64/29
23.101.5.104/29
23.101.144.136/29
23.101.165.168/29
23.101.181.128/29
23.101.210.24/29
23.101.222.240/28
23.101.224.16/29
23.101.226.16/28
40.112.64.16/28
40.113.192.16/29
40.114.120.16/29
40.115.152.16/28
40.127.67.24/29
52.125.0.0/17
52.172.144.16/28
65.52.1.16/29
65.52.193.136/29
65.54.170.128/25
70.37.128.0/23
104.40.240.48/28
104.41.13.120/29
104.41.216.16/28
104.42.72.16/29
104.43.208.16/29
104.43.240.16/29
104.44.218.128/25
104.44.254.128/25
104.44.255.0/25
104.45.0.16/28
104.45.208.104/29
104.46.112.8/29
104.46.224.64/28
104.209.144.16/29
104.210.48.8/29
104.210.83.160/29
104.210.208.16/29
104.211.16.16/29
104.211.48.16/29
104.211.88.16/28
104.211.98.138/32
104.211.98.146/32
104.211.98.246/32
104.211.99.236/32
104.211.100.160/32
104.211.100.204/32
104.211.102.225/32
104.211.152.32/27
104.211.161.150/32
104.211.161.165/32
104.211.161.185/32
104.211.162.33/32
104.211.165.35/32
104.211.166.139/32
104.211.216.32/27
104.211.224.118/32
104.211.225.135/32
104.211.227.110/32
104.211.231.147/32
104.211.231.248/32
104.215.96.24/29
104.215.144.64/29
104.215.184.16/29
131.253.120.128/32
132.245.165.0/25
134.170.67.0/25
134.170.172.128/25
157.55.45.128/25
157.55.59.128/25
157.55.130.0/25
157.55.145.0/25
157.55.155.0/25
157.55.227.192/26
157.56.53.128/25
157.56.55.0/25
157.56.58.0/25
157.56.151.0/25
191.232.2.128/25
191.237.248.32/29
191.237.252.192/28

2603:1020:201::4a0/128
2603:1020:201::4a1/128
2603:1020:201::4a2/128
2603:1020:201::4a3/128
2603:1020:201::4a4/128
2603:1020:201::4a5/128
2603:1020:201::4a6/128
2603:1020:201::4a7/128
2603:1020:201::4aa/128
2603:1020:201::581/128
2603:1020:201::583/128
2603:1020:201::584/128
2603:1020:201::586/128
2603:1020:201::588/128
2603:1020:201::589/128
2603:1020:201::58a/128
2603:1020:201::58b/128
2603:1020:201::58c/128
2603:1020:201:2::/64
2603:1020:201:3::/64
2603:1030:7::2c/128
2603:1030:7::2d/128
2603:1030:7::2f/128
2603:1030:7::30/128
2603:1030:7::34/128
2603:1030:7::3f/128
2603:1030:7::40/128
2603:1030:7::41/128
2a01:111:2005:6::/64
2a01:111:f100:1002::4134:d89f/128
2a01:111:f100:1002::4134:d944/128
2a01:111:f100:1002::4134:d95f/128
2a01:111:f100:1002::4134:da55/128
2a01:111:f100:1002::4134:da5c/128
2a01:111:f100:1002::4134:da81/128
2a01:111:f100:1002::4134:dab5/128
2a01:111:f100:1002::4134:daee/128
2a01:111:f100:1002::4134:db2a/128
2a01:111:f100:1002::4134:db60/128
2a01:111:f100:1002::4134:db89/128
2a01:111:f100:1002::4134:dbe7/128
2a01:111:f100:1002::4134:dc2d/128
2a01:111:f100:1002::4134:dc2e/128
2a01:111:f100:1002::4134:dc43/128
2a01:111:f100:1002::4134:dc6e/128
2a01:111:f100:1002::4134:dd7a/128
2a01:111:f100:1002::4134:ddcb/128
2a01:111:f100:2002::8975:2c3b/128
2a01:111:f100:2002::8975:2c3f/128
2a01:111:f100:2002::8975:2c6d/128
2a01:111:f100:2002::8975:2cdd/128
2a01:111:f100:2002::8975:2cea/128
2a01:111:f100:2002::8975:2ced/128
2a01:111:f100:2002::8975:2d08/128
2a01:111:f100:2002::8975:2d19/128
2a01:111:f100:2002::8975:2d25/128
2a01:111:f100:2002::8975:2d4d/128
2a01:111:f100:2002::8975:2d6a/128
2a01:111:f100:2002::8975:2d97/128
2a01:111:f100:2002::8975:2daa/128
2a01:111:f100:2002::8975:2dc7/128
2a01:111:f100:3002::8987:30a0/128
2a01:111:f100:3002::8987:3103/128
2a01:111:f100:3002::8987:3278/128
2a01:111:f100:3002::8987:328f/128
2a01:111:f100:3002::8987:3299/128
2a01:111:f100:3002::8987:3344/128
2a01:111:f100:3002::8987:3396/128
2a01:111:f100:3002::8987:3398/128
2a01:111:f100:3002::8987:33b3/128
2a01:111:f100:3002::8987:33ec/128
2a01:111:f100:3002::8987:34eb/128
2a01:111:f100:3002::8987:34f8/128
2a01:111:f100:3002::8987:353b/128
2a01:111:f100:3002::8987:35b5/128
2a01:111:f100:4001::4625:a3ee/128
2a01:111:f100:4001::4625:a4b6/128
2a01:111:f100:4001::4625:a4ba/128
2a01:111:f100:4001::4625:a4c7/128
2a01:111:f100:4001::4625:a4cf/128
2a01:111:f100:4001::4625:a4ee/128
2a01:111:f100:4001::4625:a56f/128
2a01:111:f100:4001::4625:a589/128
2a01:111:f100:7000::6fdd:6a44/128
2a01:111:f100:7000::6fdd:6b96/128
2a01:111:f100:7000::6fdd:6bb6/128
2a01:111:f100:7000::6fdd:6c82/128
2a01:111:f100:7000::6fdd:6d1c/128
2a01:111:f100:7000::6fdd:6d23/128
2a01:111:f100:7000::6fdd:6d50/128
2a01:111:f100:7000::6fdd:6d88/128
2a01:111:f100:a004::bfeb:8a92/128
2a01:111:f100:a004::bfeb:8ab0/128
2a01:111:f100:a004::bfeb:8b12/128
2a01:111:f100:a004::bfeb:8b15/128
2a01:111:f100:a004::bfeb:8b3c/128
2a01:111:f100:a004::bfeb:8b47/128
2a01:111:f100:a004::bfeb:8b6c/128
2a01:111:f100:a004::bfeb:8beb/128
2a01:111:f100:a004::bfeb:8c55/128
2a01:111:f100:a004::bfeb:8c6d/128
2a01:111:f100:a004::bfeb:8c6f/128
2a01:111:f100:a004::bfeb:8c88/128
2a01:111:f100:a004::bfeb:8cc0/128
2a01:111:f100:a004::bfeb:8cdc/128
2a01:111:f100:a004::bfeb:8d83/128
2a01:111:f100:a004::bfeb:8d96/128
2a01:111:f100:a004::bfeb:8daa/128
2a01:111:f102:8001::1761:4929/128
2a01:111:f102:8001::1761:4948/128
2a01:111:f102:8001::1761:4b83/128
2a01:111:f102:8001::1761:4f0d/128
2a01:111:f102:8001::1761:4f32/128
2a01:111:f102:8001::1761:4f64/128
2a01:111:f102:8001::1761:4f8d/128
2a01:111:f102:8001::1761:4fc0/128
2a01:111:f400::/48
2001:df0:d9:200::/64
2603:1047:100::/64
2a01:111:2035:8::/64
2a01:111:200a:a::/64
2a01:111:f406:1::/64
2a01:111:f406:2::/64
2a01:111:f406:1004::/64
2a01:111:f406:1805::/64
2a01:111:f406:3404::/64
2A01:111:F406:8000::/64
2a01:111:f406:8801::/64
2a01:111:f406:a003::/64
2A01:111:F406:C00::/64

Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics CRM IP | Dynamics CRM URI | Power BI

Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients | Microsoft Intune | Microsoft PowerApps | Microsoft Flow

<Back to top>

Office Online

Office Online FQDNs

Every Office 365 service depends on the required endpoints in the Office 365 portal and shared and Office 365 authentication and identity sections to function. To use Office Online, you must be able to connect to the endpoints marked required in the table below. Destinations with a yes in the ExpressRoute for Office 365 BGP Communities column are advertised over ExpressRoute and the Internet.

Office Online is only available in the browser and requires the authenticated user to be passed through any proxies. Office Online only requires TCP Port 443. In addition to the suite-wide FQDNs, CDNs, and telemetry listed above, you'll need to also add these endpoints.

Row

Purpose

Destination

ExpressRoute for Office 365 BGP Communities

CIDR Address

1

Required: suite-wide services

see Office 365 required entries for shared services and authentication

2

Required: Office Online

*broadcast.officeapps.live.com
*excel.officeapps.live.com
*onenote.officeapps.live.com
*powerpoint.officeapps.live.com
*view.officeapps.live.com
*visio.officeapps.live.com
*word-edit.officeapps.live.com
*word-view.officeapps.live.com

yes

Office Online IP Ranges.

3

Required: Content Delivery Network for Office Web Apps

*.cdn.office.net
contentstorage.osi.office.net

no

N/A

Note: The domains and nodes that the wildcards such as *visio.officeapps.live.com represent are a list of 20+ regional nodes. Similarly, the wildcard in the *.cdn.office.net entry represents a collection of application, functional, and regional domains and nodes used only by Office Online. All of these sub-domains and nodes are subject to change at any time as the service improves.

Office Web Apps IPv4 endpoints routable through the Internet and ExpressRoute

Office Web Apps IPv6 endpoints routable through the Internet only

13.69.187.20/32
13.70.184.242/32
13.71.155.176/32
13.75.153.216/32
13.76.140.48/32
13.78.114.39/32
13.85.84.102/32
13.88.248.161/32
13.88.254.212/32
13.107.6.171/32
13.107.6.172/32
23.98.219.76/32
40.68.166.51/32
40.71.251.78/32
40.74.130.243/32
40.74.138.42/32
40.86.230.88/32
40.87.61.217/32
40.114.192.209/32
40.117.226.146/32
40.126.236.216/32
40.127.79.139/32
51.140.46.128/32
51.140.46.150/32
51.141.1.194/32
51.141.8.160/32
52.108.0.0/14
52.164.242.47/32
52.169.109.48/32
52.172.12.123/32
52.172.13.171/32
52.172.152.100/32
52.172.153.104/32
52.174.190.59/32
52.175.25.142/32
52.232.128.169/32
104.40.225.204/32
104.41.62.54/32
104.214.38.136/32
104.215.194.17/32
137.116.172.39/32
137.135.65.72/32
191.235.84.172/32
191.235.87.181/32
191.237.40.220/32
2603:1020:201::37/128
2603:1020:201:9::c6/128
2603:1030:1000::1d/128
2603:1030:f00::17/128
2603:1040:200::5dc/128
2603:1040:401::762/128
2603:1040:601::60f/128
2603:1040:a01::1e/128
2603:1040:c01::28/128
2603:1050:1::cd/128
2620:1ec:a92::171/128
2a01:111:f100:2002::8975:2d79/128
2a01:111:f100:2002::8975:2da8/128
2a01:111:f100:4001::4625:a1c3/128
2a01:111:f100:4001::4625:a419/128
2a01:111:f100:7000::6fdd:6cd5/128
2a01:111:f100:a004::bfeb:8ba7/128

Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics CRM IP | Dynamics CRM URI | Power BI

Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients | Microsoft Intune | Microsoft PowerApps | Microsoft Flow

<Back to top>

Exchange Online

Exchange Online FQDNs

Every Office 365 service depends on the required endpoints in the Office 365 portal and shared and Office 365 authentication and identity sections to function. To use Exchange Online, including mail retrieval, OWA, Unified Messaging, and so on, you must be able to connect to the endpoints marked required below. If your organization uses Exchange Hybrid or is migrating email to Office 365, you'll find the associated endpoints below.

Destinations with a yes in the ExpressRoute for Office 365 BGP Communities column are advertised over ExpressRoute and the Internet with the exception of *.outlook.com, there are specific sub-FQDNs within this domain, such as the CNAME xsi.outlook.com which refers to a CDN that have no published IPs and are not available over ExpressRoute, there are other sub-domains that are available on ExpressRoute, learn more by reading the section, Deciding which applications and features route over ExpressRoute.

Row

Purpose

Source | Credentials

Destination

ExpressRoute for Office 365 BGP Communities

CIDR Address

Port

1

Required: suite-wide services

see Office 365 required entries for shared services and authentication

2

Required: EOP services

see Exchange Online Protection (EOP)

3

Required: client SMTP Relay

client computer | logged on user

smtp.office365.com

yes

Exchange Online IP ranges.

TCP 587

4

Required: Exchange Online (including OWA, Outlook, and so on).

client or server | logged on user

*.outlook.com
*.outlook.office.com
outlook.office365.com
autodiscover-<tenant>.outlook.com

yes

Exchange Online IP ranges.

TCP 80 & 443

5

Required: Exchange Online CDNs (including OWA, Outlook, and so on).

client or server | logged on user

xsi.outlook.com
r1.res.office365.com
r3.res.office365.com
r4.res.office365.com

no

N/A

TCP 80 & 443

6

Optional: Exchange Online Unified Messaging/SBC integration.

on-premises Session Border Controller

*.um.outlook.com

no

65.55.94.0/25    
207.46.198.0/25  
213.199.177.0/26   
157.55.9.128/25  
111.221.66.0/25  
207.46.58.128/25

Note: These IP addresses are provided for informational purposes and are not included in the XML.

Any-TCP/UDP

(Bidirectional for inbound, calls , MWI)

7

Optional: Exchange Hybrid including MRS mail migrations.

existing Exchange Client access servers and Mailbox servers | machine account1

*.outlook.office.com
outlook.office365.com

yes

Exchange Online IP ranges.

TCP 80 & 443

8

Optional: Exchange Hybrid co-existence functions such as Free/Busy sharing.

Exchange Online IP ranges | N/A

customer on-premises Exchange

yes

Customer IP

TCP 443

9

Optional: Exchange Hybrid proxy authentication

Exchange Online IP ranges | N/A

customer on-premises STS

yes

Customer IP

TCP 443 (+ TCP 49443 for cert based authentication)

10

Optional: used to configure Exchange Hybrid, using the Exchange Hybrid Configuration Wizard.

Note: These endpoints are only required to configure Exchange hybrid. Rows 8-10 describe the ongoing traffic.

existing Exchange service | N/A

*.store.core.windows.net
asl.configure.office.com
mshrcstorageprod.blob.core.windows.net
tds.configure.office.com

no

N/A

TCP 80 & 443

11

Optional: used to configure Exchange Hybrid, using the Exchange Hybrid Configuration Wizard.

Note: These endpoints are only required to configure Exchange hybrid. Rows 8-10 describe the ongoing traffic.

existing Exchange service | N/A

domains.live.com2

yes

40.118.209.192/32
168.62.190.41/32

Note: These IP addresses are provided for informational purposes and are not included in the XML.

TCP 80 & 443

12

Optional: Exchange Online IMAP4 migration

IMAP4 Service | N/A

*.outlook.office.com
outlook.office365.com

yes

Exchange Online IP ranges.

TCP 143/993

13

Optional: Exchange Online POP3 migration

POP3 Service | N/A

*.outlook.office.com
outlook.office365.com

yes

Exchange Online IP ranges.

TCP 995

14

Optional: all other Exchange Online migration tools

existing Exchange service (EWS or MRS) | N/A

*.outlook.office.com
outlook.office365.com

yes

Exchange Online IP ranges.

TCP 80 & 443

1Keep in mind that Machine accounts won’t work with proxies that require outbound authentication.

2 Only required for Exchange 2010 SP3 Hybrid Configuration Wizard.

Note: The domains and nodes that the wildcards such as *.outlook.office.com & *.um.outlook.com represent are a list of application, functional, and regional domains and nodes used for Exchange Online functionality. Some are dynamically assigned and all of these sub-domains and nodes are subject to change at any time as the service improves. The domains and nodes that the wildcard *.outlook.com represents include sub-domains and nodes for Exchange Online functionality, 3rd party CDNs for Exchange Online such as xsi.outlook.com, and sub-domains that other parts of o365 use.

Exchange Online IPv4 endpoints routable through the Internet and ExpressRoute

Exchange Online IPv6 endpoints routable through the Internet only

13.107.6.152/31
13.107.9.152/31
13.107.18.10/31
13.107.19.10/31
23.103.160.0/20
23.103.224.0/19
40.96.0.0/13
40.104.0.0/15
52.96.0.0/14
70.37.151.128/25
111.221.112.0/21
131.253.33.215/32
132.245.0.0/16
134.170.68.0/23
157.56.96.16/28
157.56.96.224/28
157.56.106.128/28
157.56.232.0/21
157.56.240.0/20
191.232.96.0/19
191.234.6.152/32
191.234.140.0/22
191.234.224.0/22
204.79.197.215/32
206.191.224.0/19
207.46.150.128/25
207.46.203.128/26
2603:1006::/40
2603:1016::/40
2603:1020:0800::/40
2603:1026::/40
2603:1026:0200::/39
2603:1026:0400::/39
2603:1026:0600::/40
2603:1026:0800::/40
2603:1036::/39
2603:1036:0200::/40
2603:1036:0400::/40
2603:1036:0600::/40
2603:1036:0800::/38
2603:1036:0c00::/40
2603:1046::/37
2603:1046:0900::/40
2603:1056::/40
2603:1056:0400::/40
2603:1056:0600::/40
2603:1096::/38
2603:1096:0400::/40
2603:1096:0600::/40
2603:1096:0c00::/40
2603:1096:a00::/39
2603:10a6:0200::/40
2603:10a6:0400::/40
2603:10a6:0600::/40
2603:10a6:0800::/40
2603:10d6:0200::/40
2620:1ec:4::152/128
2620:1ec:4::153/128
2620:1ec:a92::152/128
2620:1ec:a92::153/128
2620:1ec:c::10/128
2620:1ec:c::11/128
2620:1ec:d::10/128
2620:1ec:d::11/128
2a01:111:f400::/48

Exchange Online Protection FQDNs

To use Exchange Online Protection as a stand alone service or as the SMTP engine with Exchange Online, you must be able to connect to the endpoints marked required below. Note the EOP SMTP IP addresses are linked to in row 2, 3, & 4 instead of being listed directly on this page. In addition to the suite-wide FQDNs, CDNs, and telemetry listed above, you'll need to also add these endpoints. All Exchange Online Protection endpoints are available over ExpressRoute and do not rely on a CDN.

Row

Purpose

Source | Credentials

Destination

CIDR Address

Port

1

Required: suite-wide services.

see Office 365 required entries for shared services and authentication

2

Required: EOP

client or server / logged on user

*.protection.outlook.com

see Exchange Online Protection IP Addresses

TCP 53 & 443

3

Required: send SMTP email

existing email environment | N/A

<customer domain-key>.mail.protection.outlook.com

see Exchange Online Protection IP Addresses

TCP 25

4

Required: receive SMTP email

see Exchange Online Protection IP Addresses | N/A

customer email environment

customer email environment

TCP 25

Note: The domains and nodes that the wildcards such as *.protection.outlook.com represent are a list of application, functional, and regional domains and nodes used for mail delivery, security, and compliance functionality. Some are dynamically assigned and all of these sub-domains and nodes are subject to change at any time as the service improves.

Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics CRM IP | Dynamics CRM URI | Power BI

Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients | Microsoft Intune | Microsoft PowerApps | Microsoft Flow

<Back to top>

Skype for Business Online

Skype for Business Online FQDNs

To use Skype for Business online, ensure both the FQDN and IP Address endpoints listed in the Skype for Business Online tables below are reachable. These tables are updated regularly as Microsoft works to build out its network to increase reliability and performance. Please be sure to subscribe to changes in this documentation to insure changes are incorporated in your networking configuration.

The IP Address endpoints listed in the Skype for Business online IP Addresses includes IP’s required for both Skype for Business online and Teams. If your company also wants to use Microsoft Teams, there is no extra work required as long as you whitelist all the IPs in this section. The FQDN endpoints listed in the Skype for Business online FQDNs only covers those FQDNs that are required for Skype for Business online. If your company wants to use Microsoft Teams, you need to add the FQDNs for Microsoft Teams listed in the Microsoft Teams section. Destinations with a yes in the ExpressRoute for Office 365 BGP Communities column are advertised over ExpressRoute and the Internet.

To use Skype for Business Online, you must first enable endpoints for authentication as well as the Office 365 portal and shared service. You must also ensure the endpoints in the Skype for Business Online FQDN and IP Address tables are reachable. To see the IP addresses, expand the IP address section below the table describing the traffic flow. Keep in mind that wildcards represent all possible sub-domains under the root.

Row

Purpose

Source | Credentials

Destination

CDN

ExpressRoute for Office 365 BGP Communities

CIDR Address

Port

1

Required: Suite-wide services.

See Office 365 required entries for shared services and authentication

2

Required: Skype for Business. Including SIP signaling, Persistent Shared Object Model (PSOM) connections web conferencing, HTTPS downloads, and Call Quality Dashboard

Client Computer | Logged on user

*.lync.com
*.cqd.lync.com
*.infra.lync.com
*.online.lync.com
*.resources.lync.com
*.config.skype.com
*.skypeforbusiness.com
*.pipe.aria.microsoft.com
config.edge.skype.com
pipe.skype.com

No

Yes

Skype for Business IP ranges.

TCP 443

3

Required: Audio, Video, & Desktop sharing

Client Computer | Logged on user

*.lync.com

No

Yes

Skype for Business IP ranges.

TCP 443, UDP 3478, 3479, 3480, & 3481

Optional: TCP & UDP 50,000-59,999

4

Required: Lync Mobile push notifications for Lync Mobile 2010 on iOS devices. You don't need this for Android, Nokia Symbian or Windows Phone mobile devices.

Client Computer | Logged on user

*.lync.com

No

Yes

Skype for Business IP ranges.

TCP 5223

5

Required: Skype for Business CDNs

Client Computer | Logged on user

*.azureedge.net
*.sfbassets.com
*.urlp.sfbassets.com
skypemaprdsitus.trafficmanager.net

Yes

No

N/A

TCP 80 & 443

6

Required: Skype client quicktips & OWA integration

Client Computer | Logged on user

quicktips.skypeforbusiness.com
swx.cdn.skype.com

No

No

N/A.

TCP 443

7

Optional: Federation with Skype and public IM connectivity: Contact picture retrieval

Client Computer | Logged on user

*.api.skype.com
*.users.storage.live.com
skypegraph.skype.com

No

No

SkypeGraph.skype.com IP range information

TCP 443

To use Skype Meeting Broadcast, the following endpoints need to be accessible to client computers.

Row

Purpose

Source |Credentials

Destination

CDN

ExpressRoute for Office 365 BGP Communities

CIDR Address

Port

1

Required: Skype for Business endpoints.

See Skype for Business Online and ensure all entries labeled "required" are accessible.

2

Required: Skype Meeting Broadcast presenter and attendee

Client computer / logged on user

*.broadcast.skype.com
broadcast.skype.com
browser.pipe.aria.microsoft.com

No

Yes

Skype for Business IP ranges.

TCP 443

aka.ms
amp.azure.net

No

No

N/A

TCP 443

3

Required: Skype Meeting Broadcast presenter and attendee

Client computer / logged on user

*.keydelivery.mediaservices.windows.net
*.msecnd.net
*.streaming.mediaservices.windows.net
ajax.aspnetcdn.com
mlccdn.blob.core.windows.net

Yes

No

N/A

TCP 443

Notes: 

  • The domains and nodes that the wildcards such as *.lync.com, *.config.skype.com, *.broadcast.skype.com, *.skypeforbusiness.com, *.sfbassets.com, & *.urlp.sfbassets.com represent are a list of application, functional, and regional domains and nodes used for Skype for Business Online functionality. Some are dynamically assigned and all of these sub-domains and nodes are subject to change at any time as the service improves.

  • The wildcards for mediaservices.windows.net represents a list of media services endpoints associated with Azure Media Services where video content is pulled from. These endpoints are available via the internet and Azure Public peering. The wildcard for msecnd.net represents a dynamically generated endpoint within the CDN that join page libraries are pulled from.

Skype for Business Online IPv4 endpoints routable through the Internet and ExpressRoute

Skype for Business Online IPv6 endpoints routable through the Internet only

13.64.106.229/32
13.64.240.95/32
13.67.109.136/32
13.67.180.128/32
13.67.186.105/32
13.67.209.156/32
13.67.214.76/32
13.67.222.144/32
13.68.31.102/32
13.70.89.162/32
13.70.156.147/32
13.70.159.107/32
13.70.186.54/32
13.73.109.13/32
13.73.155.42/32
13.74.146.183/32
13.75.42.168/32
13.75.120.15/32
13.75.120.61/32
13.75.125.228/32
13.75.126.46/32
13.75.127.250/32
13.75.154.195/32
13.75.159.17/32
13.75.159.51/32
13.76.188.52/32
13.76.189.79/32
13.76.241.210/32
13.77.1.253/32
13.77.7.84/32
13.78.59.246/32
13.78.93.8/32
13.78.94.7/32
13.78.95.252/32
13.78.112.190/32
13.79.153.60/32
13.79.161.153/32
13.79.234.229/32
13.88.183.247/32
13.88.241.210/32
13.89.44.84/32
13.91.40.251/32
13.91.106.134/32
13.91.108.91/32
13.91.252.242/32
13.92.80.132/32
13.92.136.118/32
13.93.149.3/32
13.93.156.214/32
13.93.167.93/32
13.93.209.18/32
13.94.47.37/32
13.95.88.228/32
13.95.233.176/32
13.95.234.10/32
13.95.236.192/32
13.107.3.0/24
13.107.8.0/24
13.107.17.0/24
13.107.64.0/18
13.107.242.0/24
23.97.72.141/32
23.97.75.102/32
23.97.78.16/32
23.97.164.28/32
23.99.101.49/32
23.99.101.118/32
23.99.112.73/32
23.99.113.23/32
23.99.113.163/32
23.99.115.104/32
23.99.121.38/32
23.99.121.255/32
23.99.122.87/32
23.99.124.9/32
23.99.195.117/32
23.101.61.176/32
23.101.112.170/32
23.101.151.89/32
23.103.176.128/26
23.103.176.192/27
23.103.178.128/26
23.103.178.192/27
40.68.225.164/32
40.68.250.216/32
40.68.251.17/32
40.69.45.108/32
40.69.210.145/32
40.74.62.125/32
40.74.84.253/32
40.74.113.62/32
40.74.127.186/32
40.74.128.205/32
40.74.129.215/32
40.74.130.253/32
40.74.143.94/32
40.76.24.32/32
40.76.24.177/32
40.76.77.68/32
40.77.16.36/32
40.78.68.158/32
40.78.71.48/32
40.78.98.202/32
40.78.146.128/32
40.79.38.101/32
40.79.41.254/32
40.79.74.185/32
40.79.82.21/32
40.83.17.24/32
40.83.121.219/32
40.83.124.144/32
40.83.176.46/32
40.83.177.162/32
40.84.28.125/32
40.86.90.132/32
40.86.92.191/32
40.112.188.2/32
40.113.16.205/32
40.113.87.220/32
40.114.149.220/32
40.114.244.22/32
40.115.1.44/32
40.115.74.171/32
40.117.100.83/32
40.117.145.132/32
40.118.169.78/32
40.118.214.164/32
40.118.251.206/32
40.118.253.51/32
40.121.200.212/32
40.122.44.96/32
40.122.165.60/32
40.122.168.86/32
40.123.43.195/32
40.123.50.17/32
40.126.239.210/32
40.126.251.57/32
40.127.129.109/32
40.127.169.165/32
51.140.51.73/32
51.140.53.252/32
51.140.55.82/32
51.140.62.120/32
51.140.70.167/32
51.140.79.167/32
51.140.83.158/32
51.140.126.38/32
51.140.183.120/32
51.141.5.99/32
51.141.9.8/32
51.141.12.151/32
51.141.13.77/32
51.141.28.50/32
51.141.37.21/32
51.141.42.151/32
51.141.45.86/32
51.141.49.0/32
52.112.0.0/14
52.160.110.94/32
52.163.112.45/32
52.163.114.181/32
52.163.115.44/32
52.163.118.82/32
52.163.224.242/32
52.163.225.1/32
52.163.229.196/32
52.163.230.187/32
52.163.231.50/32
52.163.231.126/32
52.164.253.101/32
52.164.255.104/32
52.165.35.53/32
52.165.45.77/32
52.165.150.215/32
52.166.61.83/32
52.169.9.241/32
52.169.10.109/32
52.169.30.95/32
52.169.67.1/32
52.169.104.89/32
52.169.105.194/32
52.169.105.219/32
52.169.106.115/32
52.169.154.144/32
52.169.190.101/32
52.172.53.101/32
52.172.54.196/32
52.172.55.238/32
52.173.190.229/32
52.174.144.192/32
52.174.166.73/32
52.174.166.107/32
52.174.166.156/32
52.174.186.47/32
52.175.24.155/32
52.175.33.58/32
52.175.37.105/32
52.175.38.240/32
52.177.186.61/32
52.177.186.70/32
52.177.186.78/32
52.178.25.175/32
52.178.34.159/32
52.178.36.12/32
52.178.36.169/32
52.178.38.115/32
52.178.108.202/32
52.178.114.127/32
52.178.145.227/32
52.178.148.1/32
52.178.148.152/32
52.178.158.225/32
52.178.179.194/32
52.178.186.230/32
52.178.198.107/32
52.179.139.166/32
52.179.142.102/32
52.183.117.84/32
52.185.146.154/32
52.185.151.102/32
52.187.6.119/32
52.187.79.90/32
52.187.117.218/32
52.187.123.78/32
52.187.126.35/32
52.225.131.249/32
52.232.76.40/32
52.232.78.53/32
52.232.129.71/32
52.232.132.60/32
52.232.135.81/32
52.233.128.227/32
52.233.29.169/32
52.233.30.121/32
65.55.127.0/24
66.119.157.192/26
66.119.158.0/25
104.40.82.150/32
104.40.91.215/32
104.40.189.177/32
104.41.151.83/32
104.41.207.112/32
104.41.208.54/32
104.41.210.140/32
104.42.228.150/32
104.42.229.230/32
104.43.12.164/32
104.44.195.0/24
104.44.200.0/23
104.45.18.178/32
104.45.231.95/32
104.45.231.155/32
104.46.62.41/32
104.46.96.162/32
104.46.97.194/32
104.46.101.116/32
104.46.105.95/32
104.47.151.128/32
104.208.28.54/32
104.208.31.113/32
104.208.152.137/32
104.209.188.207/32
104.210.1.218/32
104.210.9.95/32
104.210.80.193/32
104.211.162.59/32
104.211.165.113/32
104.211.165.216/32
111.221.76.128/25
111.221.77.0/26
111.221.101.75/32
131.253.128.0/19
131.253.160.0/20
132.245.0.0/24
132.245.1.0/25
132.245.112.0/24
132.245.113.0/25
134.170.0.0/25
134.170.54.0/26
134.170.54.128/25
134.170.113.192/26
134.170.115.128/25
137.116.66.252/32
137.116.132.4/32
137.116.157.126/32
137.116.159.19/32
137.116.159.228/32
137.116.248.105/32
137.117.109.221/32
137.117.128.25/32
157.55.238.0/25
157.56.176.68/32
168.61.145.101/32
168.61.155.249/32
168.63.14.15/32
168.63.204.74/32
168.63.219.57/32
168.63.245.120/32
191.237.44.60/32
207.46.155.141/32
207.46.156.136/32
207.46.230.50/32
2603:1027::/48
2603:1029:100::/48
2603:1037::/48
2603:1039:100::/48
2603:1047::/48
2603:1049:100::/48
2603:1057::/48
2620:1ec:6::/48 
2620:01ec:0042::/48
2620:1ec:40::/42
2a01:111:2047:2::/64
2a01:111:2047:1::/64
2a01:111:2048:2::/64
2a01:111:2048:1::/64
2a01:111:f406:3406::/64
2a01:111:f406:3405::/64
2a01:111:200f:11::/64
2a01:111:200f:10::/64
2a01:111:2007:3::/64
2a01:111:2007:4::/64
2a01:111:200f:6::/64
2a01:111:200f:7::/64 
2a01:111:200f:8::/64
2a01:111:200f:9::/64
2a01:111:2012:2::/64 
2a01:111:2012:3::/64
2a01:111:2012:4::/64
2a01:111:2012:5::/64
2a01:111:2012:6::/64
2a01:111:2012:7::/64
2a01:111:202a:2::/64
2a01:111:202a:3::/64
2a01:111:202b:3::/64
2a01:111:202b:4::/64
2a01:111:202b:9::/64
2a01:111:202b:a::/64
2a01:111:202f::/48
2a01:111:2034:2::/64
2a01:111:2034:3::/64
2a01:111:2035:6::/64
2a01:111:2035:7::/64
2a01:111:2036:2::/64
2a01:111:2036:3::/64
2a01:111:203e:1::/64
2a01:111:203e:2::/64
2a01:111:2040:1::/64
2a01:111:2040:2::/64
2a01:111:2046:4::/64
2a01:111:2046:5::/64
2a01:111:2a:7::/64
2a01:111:2a:8::/64
2a01:111:f402:5802::/64
2a01:111:f402:5803::/64
2a01:111:f402:5805::/64
2a01:111:f404:0c06::/64
2a01:111:f404:0c07::/64
2a01:111:f404:0c09::/64
2a01:111:f404:0c0a::/64
2a01:111:f404:3400::/64
2a01:111:f404:3401::/64
2a01:111:f404:8002::/64
2a01:111:f404:8003::/64
2a01:111:f404:9400::/64
2a01:111:f404:9401::/64
2a01:111:f404:a000::/64
2a01:111:f404:a001::/64
2a01:111:f404:a800::/64
2a01:111:f404:a801::/64
2a01:111:f404:c0b::/64
2a01:111:f404:c0c::/64
2a01:111:f406:2400::/64
2a01:111:f406:2401::/64
2a01:111:f406:402::/64
2a01:111:f406:403::/64

Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics CRM IP | Dynamics CRM URI | Power BI

Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients | Microsoft Intune | Microsoft PowerApps | Microsoft Flow

<Back to top>

Microsoft Teams

Microsoft Teams FQDNs

To use Microsoft Teams, ensure both the FQDN and IP Address endpoints listed in the Microsoft Teams tables below are reachable. These tables are updated regularly as Microsoft works to build out its network to increase reliability and performance. Please be sure to subscribe to changes in this documentation to insure changes are incorporated in your networking configuration. Destinations with a yes in the ExpressRoute for Office 365 BGP Communities column are advertised over ExpressRoute and the Internet.

Wildcards represent regional installations of these services.

Row

Purpose

Source |Credentials

Destination

CDN

ExpressRoute for Office 365 BGP Communities

CIDR Address

Port

1

Required: Authentication and identity

See Office 365 authentication and identity

2

Required: Microsoft Teams.

Client or Server / logged on user

*.teams.skype.com
*.teams.microsoft.com
teams.microsoft.com

No

Yes

Microsoft Teams IP ranges.

TCP 80 & 443

3

Required: Microsoft Teams collaboration

Client or Server / logged on user

*.asm.skype.com
*.cc.skype.com
*.conv.skype.com
*.dc.trouter.io
*.msg.skype.com
prod.registrar.skype.com
prod.tpc.skype.com

No

Yes

Microsoft Teams IP ranges.

TCP 443

UDP 11000 for *.cc.skype.com only

4

Required: Microsoft Teams media

Client or Server / logged on user

These IPs are used by media without explicit FQDN mappings.

No

Yes

13.107.3.0/24
13.107.8.0/24
13.107.17.0/24
13.107.64.0/24
13.107.65.0/24
13.107.242.0/24
52.114.60.0/22
52.114.124.0/22
52.114.188.0/22
52.114.220.0/22
104.44.195.0/24
104.44.200.0/24
104.44.201.0/24

TCP 443

UDP 3478-3481

5

Required: Microsoft Teams shared services

Client or Server / logged on user

*.config.skype.com
*.pipe.skype.com
*.pipe.aria.microsoft.com
config.edge.skype.com
pipe.skype.com
s-0001.s-msedge.net
s-0004.s-msedge.net
scsinstrument-ss-us.trafficmanager.net
scsquery-ss-us.trafficmanager.net
scsquery-ss-eu.trafficmanager.net
scsquery-ss-asia.trafficmanager.net

No

Yes

Microsoft Teams IP ranges.

TCP 443

6

Required: Microsoft Teams shared services

Client or Server / logged on user

*.msedge.net
compass-ssl.microsoft.com
feedback.skype.com

No

No

N/A

TCP 443

7

Required: Microsoft Teams shared services

Client or Server / logged on user

*.secure.skypeassets.com
mlccdnprod.azureedge.net
videoplayercdn.osi.office.net

Yes

No

N/A

TCP 443

8

Optional: Messaging interop with Skype for Business

Client or Server / logged on user

*.lync.com
*.infra.lync.com
*.online.lync.com
*.resources.lync.com
*.skypeforbusiness.com

No

Yes

Skype for Business IP ranges.

TCP 443

9

Optional: Messaging interop with Skype for Business

Client or Server / logged on user

*.azureedge.net
*.sfbassets.com
latest-swx.cdn.skype.com
skypemaprdsitus.trafficmanager.net
swx.cdn.skype.com

Yes

No

N/A

TCP 443

10

Optional: Skype Graph

Client or Server / logged on user

skypegraph.skype.com

No

No

SkypeGraph.skype.com IP range information

TCP 443

11

Optional: Microsoft Teams third-party integrations

Client or Server / logged on user

*.giphy.com

N/A

No

N/A

TCP 443

Note: The domains and nodes that the wildcards such as *.teams.skype.com, *.teams.microsoft.com, *.config.skype.com, *.secure.skypeassets.com, & *.pipe.skype.com represent are a list of application, functional, and regional domains and nodes used for Microsoft Teams functionality. Some are dynamically assigned and all of these sub-domains and nodes are subject to change at any time as the service improves.

Microsoft Teams IPv4 endpoints routable through the Internet and ExpressRoute

Microsoft Teams IPv6 endpoints routable through the Internet only

13.64.106.229/32
13.64.240.95/32
13.67.109.136/32
13.67.180.128/32
13.67.186.105/32
13.67.209.156/32
13.67.214.76/32
13.67.222.144/32
13.68.31.102/32
13.70.89.162/32
13.70.156.147/32
13.70.159.107/32
13.70.186.54/32
13.73.109.13/32
13.73.155.42/32
13.74.146.183/32
13.75.42.168/32
13.75.120.15/32
13.75.120.61/32
13.75.125.228/32
13.75.126.46/32
13.75.127.250/32
13.75.154.195/32
13.75.159.17/32
13.75.159.51/32
13.76.188.52/32
13.76.189.79/32
13.76.241.210/32
13.77.7.84/32
13.78.93.8/32
13.78.94.7/32
13.78.95.252/32
13.78.112.190/32
13.79.153.60/32
13.79.161.153/32
13.79.234.229/32
13.88.183.247/32
13.89.44.84/32
13.91.40.251/32
13.91.106.134/32
13.91.108.91/32
13.91.252.242/32
13.93.149.3/32
13.93.156.214/32
13.93.209.18/32
13.94.47.37/32
13.95.88.228/32
13.95.234.10/32
13.95.236.192/32
13.107.3.0/24
13.107.8.0/24
13.107.17.0/24
13.107.64.0/18
13.107.242.0/24
23.97.72.141/32
23.97.75.102/32
23.97.78.16/32
23.99.101.49/32
23.99.101.118/32
23.99.112.73/32
23.99.113.23/32
23.99.113.163/32
23.99.115.104/32
23.99.121.38/32
23.99.121.255/32
23.99.122.87/32
23.99.124.9/32
23.99.195.117/32
23.101.61.176/32
23.101.112.170/32
23.101.151.89/32
23.102.24.114/32
40.68.225.164/32
40.68.250.216/32
40.68.251.17/32
40.69.45.108/32
40.69.210.145/32
40.74.62.125/32
40.74.113.62/32
40.74.127.186/32
40.74.129.215/32
40.74.130.253/32
40.74.143.94/32
40.76.24.177/32
40.76.77.68/32
40.77.16.36/32
40.78.68.158/32
40.78.71.48/32
40.78.98.202/32
40.78.146.128/32
40.79.38.101/32
40.79.41.254/32
40.79.74.185/32
40.79.82.21/32
40.83.17.24/32
40.83.121.219/32
40.83.124.144/32
40.83.176.46/32
40.83.177.162/32
40.84.28.125/32
40.86.90.132/32
40.86.92.191/32
40.113.87.220/32
40.114.149.220/32
40.114.244.22/32
40.115.1.44/32
40.117.100.83/32
40.117.145.132/32
40.118.169.78/32
40.118.214.164/32
40.118.253.51/32
40.122.44.96/32
40.122.165.60/32
40.122.168.86/32
40.123.43.195/32
40.123.50.17/32
40.126.239.210/32
40.127.129.109/32
40.127.169.165/32
51.140.51.73/32
51.140.55.82/32
51.140.62.120/32
51.140.70.167/32
51.140.79.167/32
51.140.83.158/32
51.140.126.38/32
51.141.12.151/32
51.141.13.77/32
51.141.28.50/32
51.141.37.21/32
51.141.42.151/32
51.141.45.86/32
51.141.49.0/32
52.112.0.0/14
52.160.110.94/32
52.163.112.45/32
52.163.114.181/32
52.163.115.44/32
52.163.118.82/32
52.163.224.242/32
52.163.225.1/32
52.163.229.196/32
52.163.230.187/32
52.163.231.50/32
52.163.231.126/32
52.164.253.101/32
52.164.255.104/32
52.165.35.53/32
52.165.45.77/32
52.165.150.215/32
52.166.61.83/32
52.169.9.241/32
52.169.10.109/32
52.169.30.95/32
52.169.67.1/32
52.169.104.89/32
52.169.105.194/32
52.169.105.219/32
52.169.106.115/32
52.169.190.101/32
52.172.53.101/32
52.174.144.192/32
52.174.166.73/32
52.174.166.107/32
52.174.166.156/32
52.174.186.47/32
52.175.24.155/32
52.175.33.58/32
52.175.37.105/32
52.175.38.240/32
52.177.186.61/32
52.177.186.70/32
52.177.186.78/32
52.178.25.175/32
52.178.34.159/32
52.178.36.12/32
52.178.36.169/32
52.178.38.115/32
52.178.108.202/32
52.178.114.127/32
52.178.145.227/32
52.178.148.1/32
52.178.148.152/32
52.178.158.225/32
52.178.179.194/32
52.178.186.230/32
52.178.198.107/32
52.179.139.166/32
52.179.142.102/32
52.183.117.84/32
52.185.146.154/32
52.187.79.90/32
52.187.117.218/32
52.187.123.78/32
52.187.126.35/32
52.225.131.249/32
52.232.76.40/32
52.232.78.53/32
52.233.29.169/32
52.233.30.121/32
104.40.82.150/32
104.40.91.215/32
104.40.189.177/32
104.41.151.83/32
104.41.208.54/32
104.41.210.140/32
104.42.228.150/32
104.42.229.230/32
104.44.195.0/24
104.44.200.0/23
104.45.18.178/32
104.45.231.95/32
104.45.231.155/32
104.46.62.41/32
104.46.96.162/32
104.46.97.194/32
104.46.101.116/32
104.46.105.95/32
104.47.151.128/32
104.208.28.54/32
104.208.31.113/32
104.208.152.137/32
104.209.188.207/32
104.210.1.218/32
104.210.9.95/32
104.211.165.216/32
111.221.101.75/32
137.116.66.252/32
137.116.132.4/32
137.116.157.126/32
137.116.159.19/32
137.116.159.228/32
137.116.248.105/32
137.117.109.221/32
137.117.128.25/32
157.56.176.68/32
168.61.145.101/32
168.61.155.249/32
168.63.245.120/32
191.237.44.60/32
207.46.155.141/32
2603:1027::/48
2603:1029:100::/48
2603:1037::/48
2603:1039:100::/48
2603:1047::/48
2603:1049:100::/48
2603:1057::/48
2620:1ec:6::/48
2620:1ec:40::/42
2a01:111:202f::/48

Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics CRM IP | Dynamics CRM URI | Power BI

Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients | Microsoft Intune | Microsoft PowerApps | Microsoft Flow

<Back to top>

SharePoint Online and OneDrive for Business

To use SharePoint Online or OneDrive for Business, you must be able to connect to the endpoints marked required below. Destinations with a yes in the ExpressRoute for Office 365 BGP Communities column are advertised over ExpressRoute and the Internet.

SharePoint Online and OneDrive for Business FQDNs

All '.sharepoint.com' FQDNs with '<tenant>' in the FQDN need to be in your client's IE Trusted Sites Zone to function. In addition to the suite-wide FQDNs, CDNs, and telemetry listed above, you'll need to also add these endpoints.

Row

Purpose

Source | Credentials

Destination

ExpressRoute for Office 365 BGP Communities

CIDR Address

Port

1

Required: suite-wide services, local egress, local DNS resolution, and CRLs.

see Office 365 required entries for shared services and authentication

2

Required: Office Online

see Office Online

3

Required: SharePoint Online and associated applications

client or server / logged on user

*.sharepoint.com
*.svc.ms
<tenant>.sharepoint.com
<tenant>-my.sharepoint.com
<tenant>-files.sharepoint.com
<tenant>-myfiles.sharepoint.com

yes

SharePoint Online IP Ranges.

TCP 80 & 443

4

Required: CDNs for SharePoint Online and associated applications

client or server / logged on user

*.sharepointonline.com
cdn.sharepointonline.com
static.sharepointonline.com
spoprod-a.akamaihd.net
publiccdn.sharepointonline.com
privatecdn.sharepointonline.com

no

N/A

TCP 80 & 443

5

Required: OneDrive for Business admin & Sharing from the Sync client

client or server / logged on user

admin.onedrive.com
officeclient.microsoft.com
odc.officeapps.live.com
skydrive.wns.windows.com

no

N/A

TCP 80 & 443

6

Required: CDN endpoint for OneDrive for Business update verification and download

client or server / logged on user

oneclient.sfx.ms

no

N/A

TCP 80 & 443

7

Optional: OneDrive for Business: supportability, telemetry, APIs, and embedded email links

client or server / logged on user

*.log.optimizely.com
click.email.microsoftonline.com
ssw.live.com
storage.live.com

no

N/A

TCP 443

8

Optional: SharePoint Hybrid Search - Endpoint to SearchContentService where the hybrid crawler feeds documents

The crawler on the on-prem SP authenticates to SCS as the tenant that does the feeding.

*.search.production.us.trafficmanager.net
*.search.production.emea.trafficmanager.net
*.search.production.apac.trafficmanager.net

no

N/A

TCP 443

9

Optional: SharePoint Hybrid Search - Endpoint to SearchContentService to successfully authenticate to remote farm with OAuth authentication and authorization.

The Host Controller/Node Runner Account on the on-prem SP server.

accounts.accesscontrol.windows.net

no

N/A

TCP 443

10

Optional: SharePoint Hybrid Search - Required for onboarding script to connect to Office 365 Provisioning Web Services.

Global admin or equivalent credentials on the tenant for which Hybrid Search is being configured

provisioningapi.microsoftonline.com

yes

Authentication and Identity IP ranges

TCP 443

Note: The domains and nodes that the wildcards such as *.sharepoint.com, *.sharepointonline.com, & *.svc.ms represent are a list of application, functional, and regional domains and nodes used by SharePoint Online. All of these sub-domains and nodes are subject to change at any time as the service improves.

SharePoint Online IPv4 endpoints routable through the Internet and ExpressRoute

SharePoint Online IPv6 endpoints routable through the Internet only

13.107.6.150/31
13.107.6.168/32
13.107.9.150/31
13.107.9.168/32
40.108.0.0/19
40.108.128.0/17
52.104.0.0/14
104.146.0.0/19
104.146.128.0/17
134.170.200.0/21
134.170.208.0/21
191.232.0.0/23
191.234.128.0/21
191.235.0.0/20
2620:1ec:a92::150/128
2620:1ec:4::150/128
2620:1ec:6::129/128
2a01:111:f402::/48
2801:80:1d0:1400::/54

Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics CRM IP | Dynamics CRM URI | Power BI

Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients | Microsoft Intune | Microsoft PowerApps | Microsoft Flow

<Back to top>

Additional Office 365 services

Including Office 365 Video, Microsoft Stream, Planner, Sway, Yammer, and Office 365 ProPlus, and other client software. To use any of these services, in addition to the suite-wide FQDNs, CDNs, and telemetry listed above, you must be able to connect to the endpoints marked required in the tables below. The destination port is TCP 443 unless otherwise noted. None of the following services are advertised over Azure ExpressRoute for Office 365.


Yammer

Yammer is only available in the browser and requires the authenticated user to be passed through a proxy. All Yammer FQDNs need to be in your client's IE Trusted Sites Zone to function.

Row

Purpose

Destination

CIDR Address

1

Required: suite-wide services

see Office 365 required entries for shared services and authentication

2

Required: Yammer

*.yammer.com
*.yammerusercontent.com
13.107.6.158/31
13.107.9.158/31
134.170.148.0/22

3

Required: Yammer CDN

*.assets-yammer.com

N/A

Note: The domains and nodes that the wildcards such as *.yammer.com, *.yammerusercontent.com, & *.assets-yammer.com represent are a list of application, functional, and regional domains and nodes used by Yammer. Some are dynamically assigned and all of these sub-domains and nodes are subject to change at any time as the service improves.



Planner

Planner is only available in the browser and requires the authenticated user to be passed through a proxy. In addition to the suite-wide FQDNs, CDNs, and telemetry listed above, you'll need to also add these endpoints.

Row

Purpose

Destination

CIDR Address

1

Required: suite-wide services

see Office 365 required entries for shared services and authentication

2

Required: Planner

tasks.office.com
cus-000.tasks.osi.office.net
ea-000.tasks.osi.office.net
eus-zzz.tasks.osi.office.net
neu-000.tasks.osi.office.net
sea-000.tasks.osi.office.net
weu-000.tasks.osi.office.net
wus-000.tasks.osi.office.net
13.107.6.160/32
13.107.9.160/32
23.97.56.236/32
23.97.78.215/32
40.76.80.180/32
40.112.223.206/32
40.127.139.229/32
104.40.214.0/32
104.43.235.252/32

3

Required: Planner CDNs

ajax.aspnetcdn.com

N/A



Sway

Sway is only available in the browser and requires the authenticated user to be passed through a proxy. In addition to the suite-wide FQDNs, CDNs, and telemetry listed above, you'll need to also add these endpoints.

Row

Purpose

Destination

1

Required: suite-wide services

see Office 365 required entries for shared services and authentication

2

Required: Sway

sway.com
www.sway.com
eus-www.sway.com
eus-000.www.sway.com
eus-001.www.sway.com
eus-002.www.sway.com
eus-003.www.sway.com
eus-004.www.sway.com
eus-005.www.sway.com
eus-006.www.sway.com
eus-007.www.sway.com
eus-008.www.sway.com
eus-009.www.sway.com
eus-00a.www.sway.com
eus-00b.www.sway.com
eus-00c.www.sway.com
eus-00d.www.sway.com
eus-00e.www.sway.com
wus-www.sway.com
wus-000.www.sway.com
wus-001.www.sway.com
wus-002.www.sway.com
wus-003.www.sway.com
wus-004.www.sway.com
wus-005.www.sway.com
wus-006.www.sway.com
wus-007.www.sway.com
wus-008.www.sway.com
wus-009.www.sway.com
wus-00a.www.sway.com
wus-00b.www.sway.com
wus-00c.www.sway.com
wus-00d.www.sway.com
wus-00e.www.sway.com

3

Required: Sway CDNs

eus-www.sway-cdn.com
wus-www.sway-cdn.com
eus-www.sway-extensions.com
wus-www.sway-extensions.com

4

Optional: Sway website analytics

www.google-analytics.com

5

Optional: Sway third party content

access to third party content such as Bing, Flickr, and so on

Note: Instead of a wildcard, we've listed every regional and functional FQDN for Sway to help convey what the other regional, application, and functional wildcards represent for endpoints published in this article.



Office 365 Video and Microsoft Stream

Office 365 Video and Microsoft Stream are only available in the browser and requires the authenticated user to be passed through a proxy. CIDR formatted IP addresses are not available for either Office 365 Video or Microsoft Stream.

Row

Purpose

Destination

1

Required: suite-wide services

see Office 365 required entries for shared services and authentication

2

Required: SharePoint Online endpoints listed above as required

see SharePoint Online

3

Required: Office 365 Video

(using Azure Media Services)

*.keydelivery.mediaservices.windows.net
*.streaming.mediaservices.windows.net

4

Required: Office 365 Video

ajax.aspnetcdn.com
r3.res.outlook.com
spoprod-a.akamaihd.net

5

Required: Microsoft Stream. (needs the AAD user token)

*.api.microsoftstream.com
*.cloudapp.net
*.notification.api.microsoftstream.com
amp.azure.net
api.microsoftstream.com
az416426.vo.msecnd.net
s0.assets-yammer.com
vortex.data.microsoft.com
web.microsoftstream.com

7

Required: Microsoft Stream - unauthenticated (content is encrypted)

(using Azure Media Services)

*.streaming.mediaservices.windows.net

8

Required: Microsoft Stream CDN

amsglob0cdnstream11.azureedge.net

9

Optional: Microsoft Stream

cdn.optimizely.com
nps.onyx.azure.net

Note: The nodes that the wildcards such as *.keydelivery.mediaservices.windows.net & *.streaming.mediaservices.windows.net represent are dynamic entries for video storage and retrieval.



Network requests in Office 2016 for Mac

To understand Office 2016 for Mac endpoint requirements, refer to our reference article Network requests in Office 2016 for Mac.

Network requests for Office and Mobile clients

To understand Office client network requests including, Office 365 ProPlus, Office 2016 for Windows, Outlook App for iOS and Windows, and OneNote refer to the article Network requests in Office and Mobile clients.

Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics CRM IP | Dynamics CRM URI | Power BI

Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients | Microsoft Intune | Microsoft PowerApps | Microsoft Flow

<Back to top>

Here’s a short link you can use to come back: https://aka.ms/o365endpoints

Office 365 endpoints are published at the end of each month with 30 days notice. Occasionally emergency changes will occur outside of the end of month publishing or with shorter notice periods. When an endpoint is added, the effective date listed in the RSS feed is the date after which network requests will be sent to the endpoint. If you're new to RSS, here is how to subscribe via Outlook or you can have the RSS feed updates emailed to you.

The endpoints listed as a Yes in the ExpressRoute for Office 365 column are available both over the internet and over ExpressRoute with Microsoft peering configured. Some services that Office 365 leverages are also available with Public peering configured and those are noted here; however, Public peering is not required to use ExpressRoute with Office 365 for the Office 365 applications supported over ExpressRoute.

There's a lot of information on this page, can we present it to you in a simpler way?

Please consider voicing your thoughts at the bottom of this page, under the heading Was this information helpful? Click yes or no and enter detailed feedback. The more feedback we get from you the easier it will be for us to improve the page.

The short icon for LinkedIn Learning. New to Office 365?
Discover free video courses for Office 365 admins and IT pros, brought to you by LinkedIn Learning.

Related Topics

Network connectivity to Office 365
Managing Office 365 endpoints
Troubleshooting Office 365 connectivity
Client connectivity
Content delivery networks
Microsoft Azure Datacenter IP Ranges
Microsoft Public IP Space

Connect with an expert
Contact us
Expand your skills
Explore training

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×