Troubleshooting Office 365 connectivity

Office 365 is designed for the best connectivity when client computers have open access to the internet. Keep reading to understand why this matters and learn the top network connectivity troubleshooting techniques. Office 365 services include primary Office 365 services hosted in Microsoft datacenters, secondary Microsoft services hosted in Microsoft datacenters, and third-party services hosted in either a Microsoft datacenter or a third-party datacenter.

  • You connect to third-party services to retrieve basic internet services such as DNS lookups and CDN content retrieval. You also connect to third-party services for integrations such as incorporating YouTube videos in your OneNote notebooks.

  • You connect to secondary services hosted and run by Microsoft such as edge nodes that enable your network request to enter Microsoft’s global network at the closest internet location to your computer. As the third largest network on the planet, this improves your connectivity experience. You also connect to Microsoft Azure services such as Azure Media Services which are used by a variety of Office 365 services.

  • You connect to primary Office 365 services such as the Exchange Online mailbox server or the Skype for Business Online server where your unique and proprietary data lives. You can connect to the primary Office 365 services by FQDN or IP address and use internet or ExpressRoute circuits. You can only connect to the third party and secondary services using FQDNs on an internet circuit.

The following diagram shows the differences between these service areas. In this diagram, the customer on-premises network in the lower left has multiple network devices to assist in managing network connectivity. Configurations like this one are common for enterprise customers. If your network only has a firewall between your client computers and the internet, that’s supported as well and you’ll want to ensure your firewall can support FQDNs and wildcards in the allow list rules.

Shows the three different types of network endpoints when using Office 365

The best place to start troubleshooting network connections is with the computer itself, followed by troubleshooting your network connection, and finally the configuration in place that enables network requests from your computer to reach the right services on the internet. Here are answers to the most common questions asked by Office 365 customers like you.

To get out of the business of tracking down every new IP that is requested by a client, use a PAC file to send network requests to the FQDNs where we don’t have IP address information to a proxy server and network requests to the FQDNs where we do have published IP information to your firewall. Here’s are sample PAC files and further guidance to help you implement this solution.

The Office 365 endpoints reference article has a comprehensive list of the primary, secondary, and third-party FQDNs that must be reachable to use Office 365. If you’re only allowing access to the IP addresses published on the page, you’ll see a lot of network requests to seemingly unknown IP addresses. For example, DNS requests or requests to content delivery network partners. The list of our partners changes frequently and we don’t have insight into the IP addresses they use to run their services.

If you want to move the IP address being requested from unknown to known, here are some steps you can follow:

  1. Double check the IP address isn’t included in a larger range. We publish our ranges using the CIDR format to convey the most information in the smallest footprint. This makes some things easier, but it often means doing some math to determine what IP addresses are included in a range, use a CIDR calculator if you get stuck.

  2. Lookup the IP address ownership information with a whois query. Often times you’ll find the IP address is owned by a third party partner such as Akamai. If you discover it’s owned by Microsoft, keep in mind it may be from one of our internal partners.

    Keep in mind some of the IP addresses that are owned by Microsoft are used within Microsoft Azure and may be removed by one Office 365 service and later re-used by another Office 365 service. If you see an IP address removed in the RSS feed and then re-added, you'll want to ensure you've added the endpoint. Always look for the latest instruction in the RSS feed to understand the most current state of any endpoint in Office 365.

  3. Check the certificate, in a browser connect to the IP address using HTTPS://<IP_ADDRESS>, check the domains listed on the certificate to understand what domains are associated with the IP address. If it’s a Microsoft owned IP address and not on the list of Office 365 IP addresses, it’s likely the IP address is associated with a Microsoft CDN such as MSOCDN.NET or another Microsoft domain without published IP information. If you do find the domain on the certificate is one where we claim to list the IP address, please let us know.

Office 365 and other Microsoft services use several third-party services such as Akamai and MarkMonitor to improve your Office 365 experience. To keep giving you the best experience possible, we may change these services in the future. When you see connections to these third parties, they’re usually in the form of a redirect or referral, occasionally it will be an initial request from the client.

Some of the services now in use include:

MarkMonitor is in use when you see requests that include *.nsatc.net. This service provides domain name protection and monitoring to protect against malicious behavior.

ExactTarget is in use when you see requests to *.exacttarget.com. This service provides email link management and monitoring against malicious behavior.

Akamai is in use when you see requests that include one of the following FQDNs. This service offers geo-DNS and content delivery network services.

*.akadns.net
*.akam.net
*.akamai.com
*.akamai.net
*.akamaiedge.net
*.akamaihd.net
*.edgekey.net
*.edgesuite.net

Office 365 is a suite of services built to function over the internet, the reliability and availability promises are based on many standard internet services being available. For example, standard internet services such as DNS, CRL, and CDNs must be reachable to use Office 365 just as they must be reachable to use most modern internet services.

In addition to these basic internet services, there are third-party services that are only used to integrate functionality. For example, using Giphy.com within Microsoft Teams allows customers to seamlessly include Gifs within Teams. Similarly, YouTube and Flickr are third-party services that are used to seamlessly integrate video and images into Office clients from the internet. While these are needed for integration, they’re marked as optional in the Office 365 endpoints article which means core functionality of the service will continue to function if the endpoint isn’t accessible.

If you’re attempting to use Office 365 and are finding third party services aren’t accessible you’ll want to ensure all FQDNs marked required or optional in this article are allowed through the proxy and firewall.

Secondary services are Microsoft services that don’t fall within Office 365 control. These are things like the edge network, Azure Media Services, and Azure Content Delivery Networks. These are all required to use Office 365 and must be reachable.

If you’re attempting to use Office 365 and are finding third party services aren’t accessible you’ll want to ensure all FQDNs marked required or optional in this article are allowed through the proxy and firewall.

Blocking Microsoft’s consumer services such as our free email or file storage services is as simple as restricting access to login.live.com where consumer accounts go to authenticate.

Keep in mind that blocking access to the Microsoft consumer services alone won’t prevent the ability for someone on your network to exfiltrate information using an Office 365 tenant or other service.

Here’s a short link you can use to come back: https://aka.ms/fixo365endpoints

See Also

Performance troubleshooting plan for Office 365

Best practices for using Office 365 on a slow network

Network connectivity to Office 365

Managing Office 365 endpoints

Client connectivity

Content delivery networks

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×