Microsoft 365 URLs and IP address ranges
Microsoft 365 requires connectivity to the Internet. The endpoints below should be reachable for customers using Microsoft 365 plans, including Government Community Cloud (GCC).
Microsoft 365 Worldwide (+GCC) | Microsoft 365 operated by 21 Vianet | Microsoft 365 U.S. Government DoD | Microsoft 365 U.S. Government GCC High |
Notes | Download | Use |
---|---|---|
Last updated: 10/31/2024 - Change Log subscription | Download: all required and optional destinations in one JSON formatted list. | Use: our proxy PAC files |
Start with Managing Microsoft 365 endpoints to understand our recommendations for managing network connectivity using this data. Endpoints data is updated as needed at the beginning of each month with new IP Addresses and URLs published 30 days in advance of being active. This cadence allows for customers who don't yet have automated updates to complete their processes before new connectivity is required. Endpoints may also be updated during the month if needed to address support escalations, security incidents, or other immediate operational requirements. The data shown on this page below is all generated from the REST-based web services. If you're using a script or a network device to access this data, you should go to the Web service directly.
Endpoint data below lists requirements for connectivity from a user's machine to Microsoft 365. For detail on IP addresses used for network connections from Microsoft into a customer network, sometimes called hybrid or inbound network connections, see Additional endpoints for more information.
The endpoints are grouped into four service areas representing the three primary workloads and a set of common resources. The groups may be used to associate traffic flows with a particular application, however given that features often consume endpoints across multiple workloads, these groups can't effectively be used to restrict access.
Data columns shown are:
ID: The ID number of the row, also known as an endpoint set. This ID is the same as is returned by the web service for the endpoint set.
Category: Shows whether the endpoint set is categorized as Optimize, Allow, or Default. This column also lists which endpoint sets are required to have network connectivity. For endpoint sets that aren't required to have network connectivity, we provide notes in this field to indicate what functionality would be missing if the endpoint set is blocked.
You can read about these categories and guidance for their management in Optimizing connectivity to Microsoft 365 services.
ER: This is Yes if the endpoint set is supported over Azure ExpressRoute with Microsoft 365 route prefixes. The BGP community that includes the route prefixes shown aligns with the service area listed. When ER is No, this means that ExpressRoute is not supported for this endpoint set.
Some routes may be advertised in more than one BGP community, making it possible for endpoints within a given IP range to traverse the ER circuit, but still be unsupported. In all cases, the value of a given endpoint set's ER column should be respected.
Addresses: Lists the FQDNs or wildcard domain names and IP address ranges for the endpoint set. Note that an IP address range is in CIDR format and may include many individual IP addresses in the specified network.
Ports: Lists the TCP or UDP ports that are combined with listed IP addresses to form the network endpoint. You may notice some duplication in IP address ranges where there are different ports listed.
Microsoft 365 Unified Domains
Note
In response to customer feedback and to streamline endpoint management, Microsoft has initiated the process of consolidating Microsoft 365 apps and services into a select group of dedicated, secured, and purpose-managed domains within the .microsoft top level domain (TLD).
To avoid connectivity issues for users, please ensure that the following essential domains are included in your allow-list and that connectivity to these domains is not blocked.
ID | Category | Domain name | Purpose | Ports |
---|---|---|---|---|
184 | Required | *.cloud.microsoft |
Dedicated to authenticated user facing Microsoft SaaS product experiences. | TCP: 443,80 UDP: 443 |
184 | Required | *.static.microsoft |
Dedicated to static (not customer generated) content hosted on CDNs. | TCP: 443,80 UDP: 443 |
184 | Required | *.usercontent.microsoft |
Content used in Microsoft 365 experiences that requires domain isolation from applications. | TCP: 443,80 UDP: 443 |
Exchange Online
ID | Category | ER | Addresses | Ports |
---|---|---|---|---|
1 | Optimize Required |
Yes | outlook.cloud.microsoft, outlook.office.com, outlook.office365.com 13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128 |
TCP: 443, 80 UDP: 443 |
2 | Allow Optional Notes: POP3, IMAP4, SMTP Client traffic |
Yes | outlook.office365.com, smtp.office365.com 13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128 |
TCP: 587, 993, 995, 143 |
8 | Default Required |
No | *.outlook.com, autodiscover.<tenant>.onmicrosoft.com |
TCP: 443, 80 |
9 | Allow Required |
Yes | *.protection.outlook.com 40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 52.238.78.88/32, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48 |
TCP: 443 |
10 | Allow Required |
Yes | *.mail.protection.outlook.com, *.mx.microsoft 40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48 |
TCP: 25 |
SharePoint and OneDrive
ID | Category | ER | Addresses | Ports |
---|---|---|---|---|
31 | Optimize Required |
Yes | *.sharepoint.com 13.107.136.0/22, 40.108.128.0/17, 52.104.0.0/14, 104.146.128.0/17, 150.171.40.0/22, 2603:1061:1300::/40, 2603:1063:6000::/35, 2620:1ec:8f8::/46, 2620:1ec:908::/46, 2a01:111:f402::/48 |
TCP: 443, 80 |
32 | Default Optional Notes: OneDrive for Business: supportability, telemetry, APIs, and embedded email links |
No | ssw.live.com, storage.live.com |
TCP: 443 |
33 | Default Optional Notes: SharePoint Hybrid Search - Endpoint to SearchContentService where the hybrid crawler feeds documents |
No | *.search.production.apac.trafficmanager.net, *.search.production.emea.trafficmanager.net, *.search.production.us.trafficmanager.net |
TCP: 443 |
35 | Default Required |
No | *.wns.windows.com, admin.onedrive.com, officeclient.microsoft.com |
TCP: 443, 80 |
36 | Default Required |
No | g.live.com, oneclient.sfx.ms |
TCP: 443, 80 |
37 | Default Required |
No | *.sharepointonline.com, spoprod-a.akamaihd.net |
TCP: 443, 80 |
39 | Default Required |
No | *.svc.ms |
TCP: 443, 80 |
Microsoft Teams
ID | Category | ER | Addresses | Ports |
---|---|---|---|---|
11 | Optimize Required |
Yes | 52.112.0.0/14, 52.122.0.0/15, 2603:1063::/38 |
UDP: 3478, 3479, 3480, 3481 |
12 | Allow Required |
Yes | *.lync.com, *.teams.cloud.microsoft, *.teams.microsoft.com, teams.cloud.microsoft, teams.microsoft.com 52.112.0.0/14, 52.122.0.0/15, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2603:1063::/38, 2620:1ec:6::/48, 2620:1ec:40::/42 |
TCP: 443, 80 |
16 | Default Required |
No | *.keydelivery.mediaservices.windows.net, *.streaming.mediaservices.windows.net, mlccdn.blob.core.windows.net |
TCP: 443 |
17 | Default Required |
No | aka.ms |
TCP: 443 |
18 | Default Optional Notes: Federation with Skype and public IM connectivity: Contact picture retrieval |
No | *.users.storage.live.com |
TCP: 443 |
19 | Default Optional Notes: Applies only to those who deploy the Conference Room Systems |
No | adl.windows.com |
TCP: 443, 80 |
27 | Default Required |
No | *.secure.skypeassets.com, mlccdnprod.azureedge.net |
TCP: 443 |
127 | Default Required |
No | *.skype.com |
TCP: 443, 80 |
180 | Default Required |
No | compass-ssl.microsoft.com |
TCP: 443 |
Microsoft 365 Common and Office Online
ID | Category | ER | Addresses | Ports |
---|---|---|---|---|
46 | Allow Required |
Yes | *.officeapps.live.com, *.online.office.com, office.live.com 13.107.6.171/32, 13.107.18.15/32, 13.107.140.6/32, 52.108.0.0/14, 52.244.37.168/32, 2603:1006:1400::/40, 2603:1016:2400::/40, 2603:1026:2400::/40, 2603:1036:2400::/40, 2603:1046:1400::/40, 2603:1056:1400::/40, 2603:1063:2000::/38, 2620:1ec:c::15/128, 2620:1ec:8fc::6/128, 2620:1ec:a92::171/128, 2a01:111:f100:2000::a83e:3019/128, 2a01:111:f100:2002::8975:2d79/128, 2a01:111:f100:2002::8975:2da8/128, 2a01:111:f100:7000::6fdd:6cd5/128, 2a01:111:f100:a004::bfeb:88cf/128 |
TCP: 443, 80 |
47 | Default Required |
No | *.office.net |
TCP: 443, 80 UDP: 443 |
49 | Default Required |
No | *.onenote.com |
TCP: 443 |
50 | Default Optional Notes: OneNote notebooks (wildcards) |
No | *.microsoft.com |
TCP: 443 |
51 | Default Required |
No | *cdn.onenote.net |
TCP: 443 |
53 | Default Required |
No | ajax.aspnetcdn.com, apis.live.net, officeapps.live.com, www.onedrive.com |
TCP: 443 |
56 | Allow Required |
Yes | *.auth.microsoft.com, *.msftidentity.com, *.msidentity.com, account.activedirectory.windowsazure.com, accounts.accesscontrol.windows.net, adminwebservice.microsoftonline.com, api.passwordreset.microsoftonline.com, autologon.microsoftazuread-sso.com, becws.microsoftonline.com, ccs.login.microsoftonline.com, clientconfig.microsoftonline-p.net, companymanager.microsoftonline.com, device.login.microsoftonline.com, graph.microsoft.com, graph.windows.net, login-us.microsoftonline.com, login.microsoft.com, login.microsoftonline-p.com, login.microsoftonline.com, login.windows.net, logincert.microsoftonline.com, loginex.microsoftonline.com, nexus.microsoftonline-p.com, passwordreset.microsoftonline.com, provisioningapi.microsoftonline.com 20.20.32.0/19, 20.190.128.0/18, 20.231.128.0/19, 40.126.0.0/18, 2603:1006:2000::/48, 2603:1007:200::/48, 2603:1016:1400::/48, 2603:1017::/48, 2603:1026:3000::/48, 2603:1027:1::/48, 2603:1036:3000::/48, 2603:1037:1::/48, 2603:1046:2000::/48, 2603:1047:1::/48, 2603:1056:2000::/48, 2603:1057:2::/48 |
TCP: 443, 80 |
59 | Default Required |
No | *.hip.live.com, *.microsoftonline-p.com, *.microsoftonline.com, *.msauth.net, *.msauthimages.net, *.msecnd.net, *.msftauth.net, *.msftauthimages.net, *.phonefactor.net, enterpriseregistration.windows.net, policykeyservice.dc.ad.msft.net |
TCP: 443, 80 |
64 | Allow Required |
Yes | *.protection.office.com, *.security.microsoft.com, compliance.microsoft.com, defender.microsoft.com, protection.office.com, purview.microsoft.com, security.microsoft.com 13.107.6.192/32, 13.107.9.192/32, 2620:1ec:4::192/128, 2620:1ec:a92::192/128 |
TCP: 443 |
66 | Default Required |
No | *.portal.cloudappsecurity.com |
TCP: 443 |
68 | Default Optional Notes: Portal and shared: 3rd party office integration. (including CDNs) |
No | firstpartyapps.oaspapps.com, prod.firstpartyapps.oaspapps.com.akadns.net, telemetryservice.firstpartyapps.oaspapps.com, wus-firstpartyapps.oaspapps.com |
TCP: 443 |
69 | Default Required |
No | *.aria.microsoft.com, *.events.data.microsoft.com |
TCP: 443 |
70 | Default Required |
No | *.o365weve.com, amp.azure.net, appsforoffice.microsoft.com, assets.onestore.ms, auth.gfx.ms, c1.microsoft.com, dgps.support.microsoft.com, docs.microsoft.com, msdn.microsoft.com, platform.linkedin.com, prod.msocdn.com, shellprod.msocdn.com, support.microsoft.com, technet.microsoft.com |
TCP: 443 |
71 | Default Required |
No | *.office365.com |
TCP: 443, 80 |
73 | Default Required |
No | *.aadrm.com, *.azurerms.com, *.informationprotection.azure.com, ecn.dev.virtualearth.net, informationprotection.hosting.portal.azure.net |
TCP: 443 |
75 | Default Optional Notes: Graph.windows.net, Office 365 Management Pack for Operations Manager, SecureScore, Azure AD Device Registration, Forms, StaffHub, Application Insights, captcha services |
No | *.sharepointonline.com, dc.services.visualstudio.com, mem.gfx.ms, staffhub.ms, staffhubweb.azureedge.net |
TCP: 443 |
78 | Default Optional Notes: Some Office 365 features require endpoints within these domains (including CDNs). Many specific FQDNs within these wildcards have been published recently as we work to either remove or better explain our guidance relating to these wildcards. |
No | *.microsoft.com, *.msocdn.com, *.onmicrosoft.com |
TCP: 443, 80 |
79 | Default Required |
No | o15.officeredir.microsoft.com, officepreviewredir.microsoft.com, officeredir.microsoft.com, r.office.microsoft.com |
TCP: 443, 80 |
83 | Default Required |
No | activation.sls.microsoft.com |
TCP: 443 |
84 | Default Required |
No | crl.microsoft.com |
TCP: 443, 80 |
86 | Default Required |
No | office15client.microsoft.com, officeclient.microsoft.com |
TCP: 443 |
89 | Default Required |
No | go.microsoft.com |
TCP: 443, 80 |
91 | Default Required |
No | ajax.aspnetcdn.com, cdn.odc.officeapps.live.com |
TCP: 443, 80 |
92 | Default Required |
No | officecdn.microsoft.com, officecdn.microsoft.com.edgesuite.net, otelrules.azureedge.net |
TCP: 443, 80 |
93 | Default Optional Notes: ProPlus: auxiliary URLs |
No | *.virtualearth.net, c.bing.net, ocos-office365-s2s.msedge.net, tse1.mm.bing.net, www.bing.com |
TCP: 443, 80 |
95 | Default Optional Notes: Outlook for Android and iOS |
No | *.acompli.net, *.outlookmobile.com |
TCP: 443 |
96 | Default Optional Notes: Outlook for Android and iOS: Authentication |
No | login.windows-ppe.net |
TCP: 443 |
97 | Default Optional Notes: Outlook for Android and iOS: Consumer Outlook.com and OneDrive integration |
No | account.live.com, login.live.com |
TCP: 443 |
105 | Default Optional Notes: Outlook for Android and iOS: Outlook Privacy |
No | www.acompli.com |
TCP: 443 |
114 | Default Optional Notes: Office Mobile URLs |
No | *.appex-rf.msn.com, *.appex.bing.com, c.bing.com, c.live.com, d.docs.live.net, docs.live.net, partnerservices.getmicrosoftkey.com, signup.live.com |
TCP: 443, 80 |
116 | Default Optional Notes: Office for iPad URLs |
No | account.live.com, auth.gfx.ms, login.live.com |
TCP: 443, 80 |
117 | Default Optional Notes: Yammer |
No | *.yammer.com, *.yammerusercontent.com |
TCP: 443 |
118 | Default Optional Notes: Yammer CDN |
No | *.assets-yammer.com |
TCP: 443 |
121 | Default Optional Notes: Planner: auxiliary URLs |
No | www.outlook.com |
TCP: 443, 80 |
122 | Default Optional Notes: Sway CDNs |
No | eus-www.sway-cdn.com, eus-www.sway-extensions.com, wus-www.sway-cdn.com, wus-www.sway-extensions.com |
TCP: 443 |
124 | Default Optional Notes: Sway |
No | sway.com, www.sway.com |
TCP: 443 |
125 | Default Required |
No | *.entrust.net, *.geotrust.com, *.omniroot.com, *.public-trust.com, *.symcb.com, *.symcd.com, *.verisign.com, *.verisign.net, apps.identrust.com, cacerts.digicert.com, cert.int-x3.letsencrypt.org, crl.globalsign.com, crl.globalsign.net, crl.identrust.com, crl3.digicert.com, crl4.digicert.com, isrg.trustid.ocsp.identrust.com, mscrl.microsoft.com, ocsp.digicert.com, ocsp.globalsign.com, ocsp.msocsp.com, ocsp2.globalsign.com, ocspx.digicert.com, secure.globalsign.com, www.digicert.com, www.microsoft.com |
TCP: 443, 80 |
126 | Default Optional Notes: Connection to the speech service is required for Office Dictation features. If connectivity is not allowed, Dictation will be disabled. |
No | officespeech.platform.bing.com |
TCP: 443 |
147 | Default Required |
No | *.office.com, www.microsoft365.com |
TCP: 443, 80 |
152 | Default Optional Notes: These endpoints enable the Office Scripts functionality in Office clients available through the Automate tab and the Python in Excel functionality available through the Formulas tab. The Office Scripts feature can also be disabled through the Office 365 Admin portal. For admin controls related to Python in Excel, see Data security and Python in Excel. |
No | *.microsoftusercontent.com |
TCP: 443 |
153 | Default Required |
No | *.azure-apim.net, *.flow.microsoft.com, *.powerapps.com, *.powerautomate.com |
TCP: 443 |
156 | Default Required |
No | *.activity.windows.com, activity.windows.com |
TCP: 443 |
158 | Default Required |
No | *.cortana.ai |
TCP: 443 |
159 | Default Required |
No | admin.microsoft.com |
TCP: 443, 80 |
160 | Default Required |
No | cdn.odc.officeapps.live.com, cdn.uci.officeapps.live.com |
TCP: 443, 80 |
184 | Default Required |
No | *.cloud.microsoft, *.static.microsoft, *.usercontent.microsoft |
TCP: 443, 80 UDP: 443 |
Notes for this table:
- The Security and Compliance Center (SCC) provides support for Azure ExpressRoute for Microsoft 365. The same applies for many features exposed through the SCC such as Reporting, Auditing, eDiscovery (Premium), Unified DLP, and Data Governance. Two specific features, PST Import and eDiscovery Export, currently don't support Azure ExpressRoute with only Microsoft 365 route filters due to their dependency on Azure Blob Storage (*.blob.core.windows.net). To consume those features, you need separate connectivity to Azure Blob Storage using any supportable Azure connectivity options, which include Internet connectivity or Azure ExpressRoute with Azure Public route filters. You have to evaluate establishing such connectivity for both of those features. The Microsoft 365 Information Protection team is aware of this limitation and is actively working to bring support for Azure ExpressRoute for Microsoft 365 as limited to Microsoft 365 route filters for both of those features.
Related Topics
Additional endpoints not included in the Microsoft 365 IP Address and URL Web service
Managing Microsoft 365 endpoints
General Microsoft Stream endpoints
Monitor Microsoft 365 connectivity
Microsoft Azure IP Ranges and Service Tags – Public Cloud
Microsoft Azure IP Ranges and Service Tags – US Government Cloud