How to find out Microsoft 365 FQDN and IP range

Quoted from Microsoft:

Exchange Online

Expand table

IDCategoryERAddressesPorts
1Optimize
Required
Yesoutlook.office.com, outlook.office365.com
13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128
TCP: 443, 80
UDP: 443
2Allow
Optional
Notes: POP3, IMAP4, SMTP Client traffic
Yesoutlook.office365.com, smtp.office365.com
13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128
TCP: 587, 993, 995, 143
8Default
Required
No*.outlook.com, autodiscover.<tenant>.onmicrosoft.comTCP: 443, 80
9Allow
Required
Yes*.protection.outlook.com
40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 52.238.78.88/32, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48
TCP: 443
10Allow
Required
Yes*.mail.protection.outlook.com
40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48
TCP: 25

SharePoint Online and OneDrive for Business

Expand table

IDCategoryERAddressesPorts
31Optimize
Required
Yes*.sharepoint.com
13.107.136.0/22, 40.108.128.0/17, 52.104.0.0/14, 104.146.128.0/17, 150.171.40.0/22, 2603:1061:1300::/40, 2620:1ec:8f8::/46, 2620:1ec:908::/46, 2a01:111:f402::/48
TCP: 443, 80
32Default
Optional
Notes: OneDrive for Business: supportability, telemetry, APIs, and embedded email links
Nossw.live.com, storage.live.comTCP: 443
33Default
Optional
Notes: SharePoint Hybrid Search – Endpoint to SearchContentService where the hybrid crawler feeds documents
No*.search.production.apac.trafficmanager.net, *.search.production.emea.trafficmanager.net, *.search.production.us.trafficmanager.netTCP: 443
35Default
Required
No*.wns.windows.com, admin.onedrive.com, officeclient.microsoft.comTCP: 443, 80
36Default
Required
Nog.live.com, oneclient.sfx.msTCP: 443, 80
37Default
Required
No*.sharepointonline.com, spoprod-a.akamaihd.netTCP: 443, 80
39Default
Required
No*.svc.msTCP: 443, 80

Skype for Business Online and Microsoft Teams

Expand table

IDCategoryERAddressesPorts
11Optimize
Required
Yes13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15, 2603:1063::/38UDP: 3478, 3479, 3480, 3481
12Allow
Required
Yes*.lync.com, *.teams.microsoft.com, teams.microsoft.com
13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2603:1063::/38, 2620:1ec:6::/48, 2620:1ec:40::/42
TCP: 443, 80
16Default
Required
No*.keydelivery.mediaservices.windows.net, *.streaming.mediaservices.windows.net, mlccdn.blob.core.windows.netTCP: 443
17Default
Required
Noaka.msTCP: 443
18Default
Optional
Notes: Federation with Skype and public IM connectivity: Contact picture retrieval
No*.users.storage.live.comTCP: 443
19Default
Optional
Notes: Applies only to those who deploy the Conference Room Systems
Noadl.windows.comTCP: 443, 80
27Default
Required
No*.secure.skypeassets.com, mlccdnprod.azureedge.netTCP: 443
127Default
Required
No*.skype.comTCP: 443, 80
180Default
Required
Nocompass-ssl.microsoft.comTCP: 443

Microsoft 365 Common and Office Online

Expand table

IDCategoryERAddressesPorts
41Default
Optional
Notes: Microsoft Stream
No*.microsoftstream.comTCP: 443
43Default
Optional
Notes: Microsoft Stream 3rd party integration (including CDNs)
Nonps.onyx.azure.netTCP: 443
44Default
Optional
Notes: Microsoft Stream – unauthenticated
No*.azureedge.net, *.media.azure.net, *.streaming.mediaservices.windows.netTCP: 443
45Default
Optional
Notes: Microsoft Stream
No*.keydelivery.mediaservices.windows.netTCP: 443
46Allow
Required
Yes*.officeapps.live.com, *.online.office.com, office.live.com
13.107.6.171/32, 13.107.18.15/32, 13.107.140.6/32, 52.108.0.0/14, 52.244.37.168/32, 2603:1006:1400::/40, 2603:1016:2400::/40, 2603:1026:2400::/40, 2603:1036:2400::/40, 2603:1046:1400::/40, 2603:1056:1400::/40, 2603:1063:2000::/38, 2620:1ec:c::15/128, 2620:1ec:8fc::6/128, 2620:1ec:a92::171/128, 2a01:111:f100:2000::a83e:3019/128, 2a01:111:f100:2002::8975:2d79/128, 2a01:111:f100:2002::8975:2da8/128, 2a01:111:f100:7000::6fdd:6cd5/128, 2a01:111:f100:a004::bfeb:88cf/128
TCP: 443, 80
47Default
Required
No*.office.netTCP: 443, 80
49Default
Required
No*.onenote.comTCP: 443
50Default
Optional
Notes: OneNote notebooks (wildcards)
No*.microsoft.comTCP: 443
51Default
Required
No*cdn.onenote.netTCP: 443
53Default
Required
Noajax.aspnetcdn.com, apis.live.net, officeapps.live.com, www.onedrive.comTCP: 443
56Allow
Required
Yes*.auth.microsoft.com, *.msftidentity.com, *.msidentity.com, account.activedirectory.windowsazure.com, accounts.accesscontrol.windows.net, adminwebservice.microsoftonline.com, api.passwordreset.microsoftonline.com, autologon.microsoftazuread-sso.com, becws.microsoftonline.com, ccs.login.microsoftonline.com, clientconfig.microsoftonline-p.net, companymanager.microsoftonline.com, device.login.microsoftonline.com, graph.microsoft.com, graph.windows.net, login.microsoft.com, login.microsoftonline.com, login.microsoftonline-p.com, login.windows.net, logincert.microsoftonline.com, loginex.microsoftonline.com, login-us.microsoftonline.com, nexus.microsoftonline-p.com, passwordreset.microsoftonline.com, provisioningapi.microsoftonline.com
20.20.32.0/19, 20.190.128.0/18, 20.231.128.0/19, 40.126.0.0/18, 2603:1006:2000::/48, 2603:1007:200::/48, 2603:1016:1400::/48, 2603:1017::/48, 2603:1026:3000::/48, 2603:1027:1::/48, 2603:1036:3000::/48, 2603:1037:1::/48, 2603:1046:2000::/48, 2603:1047:1::/48, 2603:1056:2000::/48, 2603:1057:2::/48
TCP: 443, 80
59Default
Required
No*.hip.live.com, *.microsoftonline.com, *.microsoftonline-p.com, *.msauth.net, *.msauthimages.net, *.msecnd.net, *.msftauth.net, *.msftauthimages.net, *.phonefactor.net, enterpriseregistration.windows.net, policykeyservice.dc.ad.msft.netTCP: 443, 80
64Allow
Required
Yes*.compliance.microsoft.com, *.protection.office.com, *.security.microsoft.com, compliance.microsoft.com, defender.microsoft.com, protection.office.com, security.microsoft.com
13.107.6.192/32, 13.107.9.192/32, 52.108.0.0/14, 2620:1ec:4::192/128, 2620:1ec:a92::192/128
TCP: 443
66Default
Required
No*.portal.cloudappsecurity.comTCP: 443
67Default
Optional
Notes: Security and Compliance Center eDiscovery export
No*.blob.core.windows.netTCP: 443
68Default
Optional
Notes: Portal and shared: 3rd party office integration. (including CDNs)
Nofirstpartyapps.oaspapps.com, prod.firstpartyapps.oaspapps.com.akadns.net, telemetryservice.firstpartyapps.oaspapps.com, wus-firstpartyapps.oaspapps.comTCP: 443
69Default
Required
No*.aria.microsoft.com, *.events.data.microsoft.comTCP: 443
70Default
Required
No*.o365weve.com, amp.azure.net, appsforoffice.microsoft.com, assets.onestore.ms, auth.gfx.ms, c1.microsoft.com, dgps.support.microsoft.com, docs.microsoft.com, msdn.microsoft.com, platform.linkedin.com, prod.msocdn.com, shellprod.msocdn.com, support.microsoft.com, technet.microsoft.comTCP: 443
71Default
Required
No*.office365.comTCP: 443, 80
73Default
Required
No*.aadrm.com, *.azurerms.com, *.informationprotection.azure.com, ecn.dev.virtualearth.net, informationprotection.hosting.portal.azure.netTCP: 443
75Default
Optional
Notes: Graph.windows.net, Office 365 Management Pack for Operations Manager, SecureScore, Azure AD Device Registration, Forms, StaffHub, Application Insights, captcha services
No*.sharepointonline.com, dc.services.visualstudio.com, mem.gfx.ms, staffhub.msTCP: 443
78Default
Optional
Notes: Some Office 365 features require endpoints within these domains (including CDNs). Many specific FQDNs within these wildcards have been published recently as we work to either remove or better explain our guidance relating to these wildcards.
No*.microsoft.com, *.msocdn.com, *.onmicrosoft.comTCP: 443, 80
79Default
Required
Noo15.officeredir.microsoft.com, officepreviewredir.microsoft.com, officeredir.microsoft.com, r.office.microsoft.comTCP: 443, 80
83Default
Required
Noactivation.sls.microsoft.comTCP: 443
84Default
Required
Nocrl.microsoft.comTCP: 443, 80
86Default
Required
Nooffice15client.microsoft.com, officeclient.microsoft.comTCP: 443
89Default
Required
Nogo.microsoft.comTCP: 443, 80
91Default
Required
Noajax.aspnetcdn.com, cdn.odc.officeapps.live.comTCP: 443, 80
92Default
Required
Noofficecdn.microsoft.com, officecdn.microsoft.com.edgesuite.net, otelrules.azureedge.netTCP: 443, 80
93Default
Optional
Notes: ProPlus: auxiliary URLs
No*.virtualearth.net, c.bing.net, ocos-office365-s2s.msedge.net, tse1.mm.bing.net, www.bing.comTCP: 443, 80
95Default
Optional
Notes: Outlook for Android and iOS
No*.acompli.net, *.outlookmobile.comTCP: 443
96Default
Optional
Notes: Outlook for Android and iOS: Authentication
Nologin.windows-ppe.netTCP: 443
97Default
Optional
Notes: Outlook for Android and iOS: Consumer Outlook.com and OneDrive integration
Noaccount.live.com, login.live.comTCP: 443
105Default
Optional
Notes: Outlook for Android and iOS: Outlook Privacy
Nowww.acompli.comTCP: 443
114Default
Optional
Notes: Office Mobile URLs
No*.appex.bing.com, *.appex-rf.msn.com, c.bing.com, c.live.com, d.docs.live.net, docs.live.net, partnerservices.getmicrosoftkey.com, signup.live.comTCP: 443, 80
116Default
Optional
Notes: Office for iPad URLs
Noaccount.live.com, auth.gfx.ms, login.live.comTCP: 443, 80
117Default
Optional
Notes: Yammer
No*.yammer.com, *.yammerusercontent.comTCP: 443
118Default
Optional
Notes: Yammer CDN
No*.assets-yammer.comTCP: 443
121Default
Optional
Notes: Planner: auxiliary URLs
Nowww.outlook.comTCP: 443, 80
122Default
Optional
Notes: Sway CDNs
Noeus-www.sway-cdn.com, eus-www.sway-extensions.com, wus-www.sway-cdn.com, wus-www.sway-extensions.comTCP: 443
124Default
Optional
Notes: Sway
Nosway.com, www.sway.comTCP: 443
125Default
Required
No*.entrust.net, *.geotrust.com, *.omniroot.com, *.public-trust.com, *.symcb.com, *.symcd.com, *.verisign.com, *.verisign.net, apps.identrust.com, cacerts.digicert.com, cert.int-x3.letsencrypt.org, crl.globalsign.com, crl.globalsign.net, crl.identrust.com, crl3.digicert.com, crl4.digicert.com, isrg.trustid.ocsp.identrust.com, mscrl.microsoft.com, ocsp.digicert.com, ocsp.globalsign.com, ocsp.msocsp.com, ocsp2.globalsign.com, ocspx.digicert.com, secure.globalsign.com, www.digicert.com, www.microsoft.comTCP: 443, 80
126Default
Optional
Notes: Connection to the speech service is required for Office Dictation features. If connectivity is not allowed, Dictation will be disabled.
Noofficespeech.platform.bing.comTCP: 443
147Default
Required
No*.office.com, www.microsoft365.comTCP: 443, 80
152Default
Optional
Notes: These endpoints enables the Office Scripts functionality in Office clients available through the Automate tab. This feature can also be disabled through the Office 365 Admin portal.
No*.microsoftusercontent.comTCP: 443
153Default
Required
No*.azure-apim.net, *.flow.microsoft.com, *.powerapps.com, *.powerautomate.comTCP: 443
156Default
Required
No*.activity.windows.com, activity.windows.comTCP: 443
158Default
Required
No*.cortana.aiTCP: 443
159Default
Required
Noadmin.microsoft.comTCP: 443, 80
160Default
Required
Nocdn.odc.officeapps.live.com, cdn.uci.officeapps.live.comTCP: 443, 80
184Default
Required
No*.cloud.microsoft, *.static.microsoft, *.usercontent.microsoftTCP: 443, 80

 Note

Published by

Bob Lin

Bob Lin, Chicagotech-MVP, MCSE & CNE Data recovery, Windows OS Recovery, Networking, and Computer Troubleshooting on http://www.ChicagoTech.net How to Install and Configure Windows, VMware, Virtualization and Cisco on http://www.HowToNetworking.com