Office 365 URLs and IP address ranges

  • 13 minutes to read

Summary: Office 365 requires connectivity to the Internet. The endpoints below should be reachable for customers using Office 365 plans, including Government Community Cloud (GCC).

Note

As part of Microsoft's response to the COVID-19 situation, Microsoft has declared a temporary moratorium on some planned URL and IP address changes. This moratorium is intended to provide customer IT teams with confidence and simplicity in implementing recommended network optimizations for work-from-home Office 365 scenarios. From March 24, 2020 through June 30, 2020 this moratorium will halt changes for key Office 365 services (Exchange Online, SharePoint Online, and Microsoft Teams) to IP ranges and URLs included in the Optimize category. Changes within other endpoint categories will occur as usual. During this period, customers can use Office 365 Optimize category service endpoint definitions in a static manner to perform targeted network optimizations (such as bandwidth reservations or split tunnel VPN configuration) with minimal risk to Office 365 connectivity due to cloud-side network changes. To ensure that no service interruptions occur at the end of the moratorium period, Microsoft strongly recommends that customers implement change management and/or automation processes for Office 365 service endpoints using the guidance provided at Managing Office 365 Endpoints.

Note

Microsoft has released a REST-based web service for the IP address and FQDN entries on this page. This new service will help you configure and update network perimeter devices such as firewalls and proxy servers. You can download the list of endpoints, the current version of the list, or specific changes. This service replaces the XML document linked from this page, which was deprecated on October 2, 2018. To try out this new service, go to Web service.

Office 365 Worldwide (+GCC) | Office 365 operated by 21 Vianet | Office 365 Germany | Office 365 U.S. Government DoD | Office 365 U.S. Government GCC High |
Last updated: 03/25/2020 - RSS Change Log subscription
Download: all required and optional destinations in one JSON formatted list.
Use: our proxy PAC files

Start with Managing Office 365 endpoints to understand our recommendations for managing network connectivity using this data. Endpoints data is updated at the beginning of each month with new IP Addresses and URLs published 30 days in advance of being active. This allows for customers who do not yet have automated updates to complete their processes before new connectivity is required. Endpoints may also be updated during the month if needed to address support escalations, security incidents, or other immediate operational requirements. The data shown on this page below is all generated from the REST-based web services. If you are using a script or a network device to access this data, you should go to the Web service directly.

Endpoint data below lists requirements for connectivity from a user's machine to Office 365. It does not include network connections from Microsoft into a customer network, sometimes called hybrid or inbound network connections. See Additional endpoints for more information.

The endpoints are grouped into four service areas. The first three service areas can be independently selected for connectivity. The fourth service area is a common dependency (called Microsoft 365 Common and Office) and must always have network connectivity.

Data columns shown are:

  • ID: The ID number of the row, also known as an endpoint set. This ID is the same as is returned by the web service for the endpoint set.

  • Category: Shows whether the endpoint set is categorized as "Optimize", "Allow", or "Default". You can read about these categories and guidance for management of them at https://aka.ms/pnc. This column also lists which endpoint sets are required to have network connectivity. For endpoint sets which are not required to have network connectivity, we provide notes in this field to indicate what functionality would be missing if the endpoint set is blocked. If you are excluding an entire service area, the endpoint sets listed as required do not require connectivity.

  • ER: This is Yes if the endpoint set is supported over Azure ExpressRoute with Office 365 route prefixes. The BGP community that includes the route prefixes shown aligns with the service area listed. When ER is No, this means that ExpressRoute is not supported for this endpoint set. However, it should not be assumed that no routes are advertised for an endpoint set where ER is No.

  • Addresses: Lists the FQDNs or wildcard domain names and IP Address ranges for the endpoint set. Note that an IP Address range is in CIDR format and may include many individual IP Addresses in the specified network.

  • Ports: Lists the TCP or UDP ports that are combined with the Addresses to form the network endpoint. You may notice some duplication in IP Address ranges where there are different ports listed.

Exchange Online

ID Category ER Addresses Ports
1 Optimize
Required		 Yes outlook.office.com, outlook.office365.com
13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 191.234.140.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2603:1096::/38, 2603:1096:400::/40, 2603:1096:600::/40, 2603:1096:a00::/39, 2603:1096:c00::/40, 2603:10a6:200::/40, 2603:10a6:400::/40, 2603:10a6:600::/40, 2603:10a6:800::/40, 2603:10d6:200::/40, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128, 2a01:111:f400::/48		 TCP: 443, 80
2 Allow
Required		 Yes smtp.office365.com
13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 191.234.140.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2603:1096::/38, 2603:1096:400::/40, 2603:1096:600::/40, 2603:1096:a00::/39, 2603:1096:c00::/40, 2603:10a6:200::/40, 2603:10a6:400::/40, 2603:10a6:600::/40, 2603:10a6:800::/40, 2603:10d6:200::/40, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128, 2a01:111:f400::/48		 TCP: 587
3 Default
Required		 No r1.res.office365.com, r3.res.office365.com, r4.res.office365.com TCP: 443, 80
5 Allow
Optional
Notes: Exchange Online IMAP4 migration		 Yes *.outlook.office.com, outlook.office365.com
13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 191.234.140.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2603:1096::/38, 2603:1096:400::/40, 2603:1096:600::/40, 2603:1096:a00::/39, 2603:1096:c00::/40, 2603:10a6:200::/40, 2603:10a6:400::/40, 2603:10a6:600::/40, 2603:10a6:800::/40, 2603:10d6:200::/40, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128, 2a01:111:f400::/48		 TCP: 143, 993
6 Allow
Optional
Notes: Exchange Online POP3 migration		 Yes *.outlook.office.com, outlook.office365.com
13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 191.234.140.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2603:1096::/38, 2603:1096:400::/40, 2603:1096:600::/40, 2603:1096:a00::/39, 2603:1096:c00::/40, 2603:10a6:200::/40, 2603:10a6:400::/40, 2603:10a6:600::/40, 2603:10a6:800::/40, 2603:10d6:200::/40, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128, 2a01:111:f400::/48		 TCP: 995
8 Default
Required		 No *.outlook.com, *.outlook.office.com, attachments.office.net TCP: 443, 80
9 Allow
Required		 Yes *.protection.outlook.com
40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 52.238.78.88/32, 104.47.0.0/17, 2a01:111:f403::/48		 TCP: 443
10 Allow
Required		 Yes *.mail.protection.outlook.com
40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48		 TCP: 25
145 Default
Optional
Notes: This Endpoint is used for Telemetry Purposes.		 No *.measure.office.com TCP: 443, 80

SharePoint Online and OneDrive for Business

ID Category ER Addresses Ports
31 Optimize
Required		 Yes <tenant>.sharepoint.com, <tenant>-my.sharepoint.com
13.107.136.0/22, 40.108.128.0/17, 52.104.0.0/14, 104.146.128.0/17, 150.171.40.0/22, 2620:1ec:8f8::/46, 2620:1ec:908::/46, 2a01:111:f402::/48		 TCP: 443, 80
32 Default
Optional
Notes: OneDrive for Business: supportability, telemetry, APIs, and embedded email links		 No *.log.optimizely.com, click.email.microsoftonline.com, ssw.live.com, storage.live.com TCP: 443
33 Default
Optional
Notes: SharePoint Hybrid Search - Endpoint to SearchContentService where the hybrid crawler feeds documents		 No *.search.production.apac.trafficmanager.net, *.search.production.emea.trafficmanager.net, *.search.production.us.trafficmanager.net TCP: 443
35 Default
Required		 No *.wns.windows.com, admin.onedrive.com, officeclient.microsoft.com TCP: 443, 80
36 Default
Required		 No g.live.com, oneclient.sfx.ms TCP: 443, 80
37 Default
Required		 No *.sharepointonline.com, cdn.sharepointonline.com, privatecdn.sharepointonline.com, publiccdn.sharepointonline.com, spoprod-a.akamaihd.net, static.sharepointonline.com TCP: 443, 80
38 Default
Optional
Notes: SharePoint Online: auxiliary URLs		 No prod.msocdn.com, watson.telemetry.microsoft.com TCP: 443, 80
39 Default
Required		 No *.svc.ms, <tenant>-files.sharepoint.com, <tenant>-myfiles.sharepoint.com TCP: 443, 80

Skype for Business Online and Microsoft Teams

ID Category ER Addresses Ports
11 Optimize
Required		 Yes 13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14 UDP: 3478, 3479, 3480, 3481
12 Allow
Required		 Yes *.lync.com, *.teams.microsoft.com, teams.microsoft.com
13.70.151.216/32, 13.71.127.197/32, 13.72.245.115/32, 13.73.1.120/32, 13.75.126.169/32, 13.89.240.113/32, 13.107.3.0/24, 13.107.64.0/18, 51.140.155.234/32, 51.140.203.190/32, 51.141.51.76/32, 52.112.0.0/14, 52.120.0.0/14, 52.163.126.215/32, 52.170.21.67/32, 52.172.185.18/32, 52.178.94.2/32, 52.178.161.139/32, 52.228.25.96/32, 52.238.119.141/32, 52.242.23.189/32, 52.244.160.207/32, 104.215.11.144/32, 104.215.62.195/32, 138.91.237.237/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2620:1ec:6::/48, 2620:1ec:40::/42		 TCP: 443, 80
13 Allow
Required		 Yes *.broadcast.skype.com, broadcast.skype.com
13.70.151.216/32, 13.71.127.197/32, 13.72.245.115/32, 13.73.1.120/32, 13.75.126.169/32, 13.89.240.113/32, 13.107.3.0/24, 13.107.64.0/18, 51.140.155.234/32, 51.140.203.190/32, 51.141.51.76/32, 52.112.0.0/14, 52.120.0.0/14, 52.163.126.215/32, 52.170.21.67/32, 52.172.185.18/32, 52.178.94.2/32, 52.178.161.139/32, 52.228.25.96/32, 52.238.119.141/32, 52.242.23.189/32, 52.244.160.207/32, 104.215.11.144/32, 104.215.62.195/32, 138.91.237.237/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2620:1ec:6::/48, 2620:1ec:40::/42		 TCP: 443
14 Default
Required		 No quicktips.skypeforbusiness.com TCP: 443
15 Default
Required		 No *.sfbassets.com, *.urlp.sfbassets.com, skypemaprdsitus.trafficmanager.net TCP: 443, 80
16 Default
Required		 No *.keydelivery.mediaservices.windows.net, *.msecnd.net, *.streaming.mediaservices.windows.net, ajax.aspnetcdn.com, mlccdn.blob.core.windows.net TCP: 443
17 Default
Required		 No aka.ms, amp.azure.net TCP: 443
18 Default
Optional
Notes: Federation with Skype and public IM connectivity: Contact picture retrieval		 No *.users.storage.live.com TCP: 443
19 Default
Optional
Notes: Applies only to those who deploy the Conference Room Systems		 No *.adl.windows.com TCP: 443, 80
22 Allow
Optional
Notes: Teams: Messaging interop with Skype for Business		 Yes *.skypeforbusiness.com
13.70.151.216/32, 13.71.127.197/32, 13.72.245.115/32, 13.73.1.120/32, 13.75.126.169/32, 13.89.240.113/32, 13.107.3.0/24, 13.107.64.0/18, 51.140.155.234/32, 51.140.203.190/32, 51.141.51.76/32, 52.112.0.0/14, 52.120.0.0/14, 52.163.126.215/32, 52.170.21.67/32, 52.172.185.18/32, 52.178.94.2/32, 52.178.161.139/32, 52.228.25.96/32, 52.238.119.141/32, 52.242.23.189/32, 52.244.160.207/32, 104.215.11.144/32, 104.215.62.195/32, 138.91.237.237/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2620:1ec:6::/48, 2620:1ec:40::/42		 TCP: 443
26 Default
Required		 No *.msedge.net, compass-ssl.microsoft.com TCP: 443
27 Default
Required		 No *.mstea.ms, *.secure.skypeassets.com, mlccdnprod.azureedge.net, videoplayercdn.osi.office.net TCP: 443
29 Default
Optional
Notes: Yammer third-party integration		 No *.tenor.com TCP: 443, 80
127 Default
Required		 No *.skype.com TCP: 443, 80
146 Default
Required		 No statics.teams.microsoft.com TCP: 443

Microsoft 365 Common and Office Online

ID Category ER Addresses Ports
40 Default
Optional
Notes: Office 365 Video CDNs		 No ajax.aspnetcdn.com, r3.res.outlook.com, spoprod-a.akamaihd.net TCP: 443
41 Default
Optional
Notes: Microsoft Stream		 No *.api.microsoftstream.com, *.notification.api.microsoftstream.com, amp.azure.net, api.microsoftstream.com, az416426.vo.msecnd.net, s0.assets-yammer.com, vortex.data.microsoft.com, web.microsoftstream.com TCP: 443
42 Default
Optional
Notes: Microsoft Stream CDN		 No amsglob0cdnstream11.azureedge.net, amsglob0cdnstream12.azureedge.net TCP: 443
43 Default
Optional
Notes: Microsoft Stream 3rd party integration (including CDNs)		 No nps.onyx.azure.net TCP: 443
44 Default
Optional
Notes: Microsoft Stream - unauthenticated		 No *.azureedge.net, *.media.azure.net, *.streaming.mediaservices.windows.net TCP: 443
45 Default
Optional
Notes: Office 365 Video		 No *.keydelivery.mediaservices.windows.net, *.streaming.mediaservices.windows.net TCP: 443
46 Allow
Required		 Yes *.online.office.com, *broadcast.officeapps.live.com, *excel.officeapps.live.com, *onenote.officeapps.live.com, *powerpoint.officeapps.live.com, *rtc.officeapps.live.com, *shared.officeapps.live.com, *view.officeapps.live.com, *visio.officeapps.live.com, *word-edit.officeapps.live.com, *word-view.officeapps.live.com, office.live.com
13.107.6.171/32, 13.107.140.6/32, 52.108.0.0/14, 52.238.106.116/32, 52.247.150.191/32, 2603:1010:2::cb/128, 2603:1010:200::c7/128, 2603:1020:200::682f:a0fd/128, 2603:1020:201:9::c6/128, 2603:1020:600::a1/128, 2603:1020:700::a2/128, 2603:1020:800:2::6/128, 2603:1020:900::8/128, 2603:1030:7::749/128, 2603:1030:800:5::bfee:ad3c/128, 2603:1030:f00::17/128, 2603:1030:1000::21a/128, 2603:1040:200::4f3/128, 2603:1040:401::762/128, 2603:1040:601::60f/128, 2603:1040:a01::1e/128, 2603:1040:c01::28/128, 2603:1040:e00:1::2f/128, 2603:1040:f00::1f/128, 2603:1050:1::cd/128, 2620:1ec:8fc::6/128, 2620:1ec:a92::171/128, 2a01:111:f100:2000::a83e:3019/128, 2a01:111:f100:2002::8975:2d79/128, 2a01:111:f100:2002::8975:2da8/128, 2a01:111:f100:7000::6fdd:6cd5/128, 2a01:111:f100:a004::bfeb:88cf/128		 TCP: 443
47 Default
Required		 No *.cdn.office.net, contentstorage.osi.office.net TCP: 443
49 Default
Required		 No *.onenote.com TCP: 443
50 Default
Optional
Notes: OneNote notebooks (wildcards)		 No *.microsoft.com, *.msecnd.net, *.office.net TCP: 443
51 Default
Required		 No *cdn.onenote.net TCP: 443
52 Default
Optional
Notes: OneNote 3rd party supporting services and CDNs		 No ad.atdmt.com, s.ytimg.com, www.youtube.com TCP: 443
53 Default
Required		 No ajax.aspnetcdn.com, apis.live.net, cdn.optimizely.com, officeapps.live.com, www.onedrive.com TCP: 443
54 Default
Required		 No ccs.login.microsoftonline.com TCP: 443, 80
56 Allow
Required		 Yes *.msappproxy.net, *.msftidentity.com, *.msidentity.com, account.activedirectory.windowsazure.com, accounts.accesscontrol.windows.net, adminwebservice.microsoftonline.com, api.passwordreset.microsoftonline.com, autologon.microsoftazuread-sso.com, becws.microsoftonline.com, clientconfig.microsoftonline-p.net, companymanager.microsoftonline.com, device.login.microsoftonline.com, graph.microsoft.com, graph.windows.net, login.microsoft.com, login.microsoftonline.com, login.microsoftonline-p.com, login.windows.net, logincert.microsoftonline.com, loginex.microsoftonline.com, login-us.microsoftonline.com, nexus.microsoftonline-p.com, passwordreset.microsoftonline.com, provisioningapi.microsoftonline.com
20.190.128.0/18, 40.126.0.0/18, 2603:1006:2000::/48, 2603:1007:200::/48, 2603:1016:1400::/48, 2603:1017::/48, 2603:1026:3000::/48, 2603:1027:1::/48, 2603:1036:3000::/48, 2603:1037:1::/48, 2603:1046:2000::/48, 2603:1047:1::/48, 2603:1056:2000::/48, 2603:1057:2::/48		 TCP: 443, 80
59 Default
Required		 No *.microsoftonline.com, *.microsoftonline-p.com, *.msauth.net, *.msauthimages.net, *.msecnd.net, *.msftauth.net, *.msftauthimages.net, *.phonefactor.net, enterpriseregistration.windows.net, management.azure.com, policykeyservice.dc.ad.msft.net, secure.aadcdn.microsoftonline-p.com TCP: 443, 80
64 Allow
Required		 Yes *.manage.office.com, *.protection.office.com, manage.office.com, protection.office.com
13.80.125.22/32, 13.91.91.243/32, 13.107.6.156/31, 13.107.7.190/31, 13.107.9.156/31, 40.81.156.154/32, 40.90.218.198/32, 52.108.0.0/14, 52.174.56.180/32, 52.183.75.62/32, 52.184.165.82/32, 104.42.230.91/32, 157.55.145.0/25, 157.55.155.0/25, 157.55.227.192/26, 2603:1006:1400::/40, 2603:1016:2400::/40, 2603:1020:400::26/128, 2603:1020:600::1f0/128, 2603:1026:2400::/40, 2603:1036:2400::/40, 2603:1040:400::5e/128, 2603:1046:1400::/40, 2603:1056:1400::/40, 2a01:111:200a:a::/64, 2a01:111:2035:8::/64, 2a01:111:f100:1002::4134:c440/128, 2a01:111:f100:2002::8975:2d98/128, 2a01:111:f100:3000::a83e:1884/128, 2a01:111:f100:3002::8987:3552/128, 2a01:111:f100:4002::9d37:c021/128, 2a01:111:f100:4002::9d37:c3de/128, 2a01:111:f100:6000::4134:b84b/128, 2a01:111:f100:7000::6fdd:6fc4/128, 2a01:111:f100:8000::4134:941b/128, 2a01:111:f406:1::/64, 2a01:111:f406:c00::/64, 2a01:111:f406:1004::/64, 2a01:111:f406:1805::/64, 2a01:111:f406:3404::/64, 2a01:111:f406:8000::/64, 2a01:111:f406:8801::/64, 2a01:111:f406:a003::/64		 TCP: 443
65 Allow
Required		 Yes *.portal.cloudappsecurity.com, account.office.net, admin.microsoft.com, home.office.com, portal.office.com, www.office.com
13.80.125.22/32, 13.91.91.243/32, 13.107.6.156/31, 13.107.7.190/31, 13.107.9.156/31, 40.81.156.154/32, 40.90.218.198/32, 52.108.0.0/14, 52.174.56.180/32, 52.183.75.62/32, 52.184.165.82/32, 104.42.230.91/32, 157.55.145.0/25, 157.55.155.0/25, 157.55.227.192/26, 2603:1006:1400::/40, 2603:1016:2400::/40, 2603:1020:400::26/128, 2603:1020:600::1f0/128, 2603:1026:2400::/40, 2603:1036:2400::/40, 2603:1040:400::5e/128, 2603:1046:1400::/40, 2603:1056:1400::/40, 2a01:111:200a:a::/64, 2a01:111:2035:8::/64, 2a01:111:f100:1002::4134:c440/128, 2a01:111:f100:2002::8975:2d98/128, 2a01:111:f100:3000::a83e:1884/128, 2a01:111:f100:3002::8987:3552/128, 2a01:111:f100:4002::9d37:c021/128, 2a01:111:f100:4002::9d37:c3de/128, 2a01:111:f100:6000::4134:b84b/128, 2a01:111:f100:7000::6fdd:6fc4/128, 2a01:111:f100:8000::4134:941b/128, 2a01:111:f406:1::/64, 2a01:111:f406:c00::/64, 2a01:111:f406:1004::/64, 2a01:111:f406:1805::/64, 2a01:111:f406:3404::/64, 2a01:111:f406:8000::/64, 2a01:111:f406:8801::/64, 2a01:111:f406:a003::/64		 TCP: 443, 80
66 Default
Required		 No apc.delve.office.com, aus.delve.office.com, can.delve.office.com, delve.office.com, delve-gcc.office.com, eur.delve.office.com, gbr.delve.office.com, ind.delve.office.com, jpn.delve.office.com, kor.delve.office.com, lam.delve.office.com, nam.delve.office.com, suite.office.net, webshell.suite.office.com TCP: 443
67 Default
Optional
Notes: Security and Compliance Center eDiscovery export		 No *.blob.core.windows.net TCP: 443
68 Default
Optional
Notes: Portal and shared: 3rd party office integration. (including CDNs)		 No *.helpshift.com, *.localytics.com, analytics.localytics.com, api.localytics.com, connect.facebook.net, firstpartyapps.oaspapps.com, outlook.uservoice.com, prod.firstpartyapps.oaspapps.com.akadns.net, rink.hockeyapp.net, sdk.hockeyapp.net, telemetryservice.firstpartyapps.oaspapps.com, web.localytics.com, webanalytics.localytics.com, wus-firstpartyapps.oaspapps.com TCP: 443
69 Default
Required		 No *.aria.microsoft.com, *.events.data.microsoft.com TCP: 443
70 Default
Required		 No *.o365weve.com, amp.azure.net, appsforoffice.microsoft.com, assets.onestore.ms, auth.gfx.ms, az826701.vo.msecnd.net, c1.microsoft.com, client.hip.live.com, contentstorage.osi.office.net, dgps.support.microsoft.com, docs.microsoft.com, msdn.microsoft.com, platform.linkedin.com, prod.msocdn.com, products.office.com, r1.res.office365.com, r4.res.office365.com, res.delve.office.com, shellprod.msocdn.com, support.content.office.net, support.microsoft.com, support.office.com, technet.microsoft.com, templates.office.com, videocontent.osi.office.net, videoplayercdn.osi.office.net TCP: 443
71 Default
Required		 No *.office365.com TCP: 443
72 Default
Optional
Notes: Azure Rights Management (RMS) with Office 2010 clients		 No *.cloudapp.net TCP: 443
73 Default
Required		 No *.aadrm.com, *.azurerms.com, *.informationprotection.azure.com, ecn.dev.virtualearth.net, informationprotection.hosting.portal.azure.net TCP: 443
74 Default
Optional
Notes: Remote Connectivity Analyzer - Initiate connectivity tests.		 No testconnectivity.microsoft.com TCP: 443, 80
75 Default
Optional
Notes: Graph.windows.net, Office 365 Management Pack for Operations Manager, SecureScore, Azure AD Device Registration, Forms, StaffHub, Application Insights, captcha services		 No *.hockeyapp.net, *.sharepointonline.com, *.staffhub.office.com, api.office.com, cdn.forms.office.net, dc.applicationinsights.microsoft.com, dc.services.visualstudio.com, forms.microsoft.com, forms.office.com, mem.gfx.ms, office365servicehealthcommunications.cloudapp.net, securescore.office.com, signup.microsoft.com, staffhub.ms, staffhub.office.com, staffhub.uservoice.com, staffhubweb.azureedge.net, watson.telemetry.microsoft.com TCP: 443
76 Default
Optional
Notes: Microsoft Azure RemoteApp		 No vortex.data.microsoft.com TCP: 443
77 Allow
Required		 Yes nexus.officeapps.live.com, nexusrules.officeapps.live.com, portal.microsoftonline.com
13.107.6.171/32, 13.107.140.6/32, 52.108.0.0/14, 52.238.106.116/32, 52.247.150.191/32, 2603:1010:2::cb/128, 2603:1010:200::c7/128, 2603:1020:200::682f:a0fd/128, 2603:1020:201:9::c6/128, 2603:1020:600::a1/128, 2603:1020:700::a2/128, 2603:1020:800:2::6/128, 2603:1020:900::8/128, 2603:1030:7::749/128, 2603:1030:800:5::bfee:ad3c/128, 2603:1030:f00::17/128, 2603:1030:1000::21a/128, 2603:1040:200::4f3/128, 2603:1040:401::762/128, 2603:1040:601::60f/128, 2603:1040:a01::1e/128, 2603:1040:c01::28/128, 2603:1040:e00:1::2f/128, 2603:1040:f00::1f/128, 2603:1050:1::cd/128, 2620:1ec:8fc::6/128, 2620:1ec:a92::171/128, 2a01:111:f100:2000::a83e:3019/128, 2a01:111:f100:2002::8975:2d79/128, 2a01:111:f100:2002::8975:2da8/128, 2a01:111:f100:7000::6fdd:6cd5/128, 2a01:111:f100:a004::bfeb:88cf/128		 TCP: 443
78 Default
Optional
Notes: Some Office 365 features require endpoints within these domains (including CDNs). Many specific FQDNs within these wildcards have been published recently as we work to either remove or better explain our guidance relating to these wildcards.		 No *.microsoft.com, *.msocdn.com, *.office.net, *.onmicrosoft.com TCP: 443, 80
79 Default
Required		 No o15.officeredir.microsoft.com, ocsredir.officeapps.live.com, officepreviewredir.microsoft.com, officeredir.microsoft.com, r.office.microsoft.com TCP: 443, 80
80 Default
Required		 No ocws.officeapps.live.com TCP: 443
81 Default
Required		 No odc.officeapps.live.com TCP: 443, 80
82 Default
Required		 No roaming.officeapps.live.com TCP: 443, 80
83 Default
Required		 No activation.sls.microsoft.com TCP: 443
84 Default
Required		 No crl.microsoft.com TCP: 443, 80
85 Default
Required		 No ols.officeapps.live.com TCP: 443
86 Default
Required		 No office15client.microsoft.com, officeclient.microsoft.com TCP: 443
87 Default
Required		 No ocsa.officeapps.live.com TCP: 443, 80
88 Default
Required		 No insertmedia.bing.office.net TCP: 443, 80
89 Default
Required		 No go.microsoft.com, support.office.com TCP: 443, 80
90 Default
Required		 No mrodevicemgr.officeapps.live.com TCP: 443
91 Default
Required		 No ajax.aspnetcdn.com, cdn.odc.officeapps.live.com TCP: 443, 80
92 Default
Required		 No officecdn.microsoft.com, officecdn.microsoft.com.edgesuite.net TCP: 443, 80
93 Default
Optional
Notes: ProPlus: auxiliary URLs		 No ajax.microsoft.com, c.bing.net, excelbingmap.firstpartyapps.oaspapps.com, excelcs.officeapps.live.com, ocos-office365-s2s.msedge.net, omextemplates.content.office.net, peoplegraph.firstpartyapps.oaspapps.com, pptcs.officeapps.live.com, store.office.com, templateservice.office.com, tse1.mm.bing.net, uci.officeapps.live.com, watson.microsoft.com, wikipedia.firstpartyapps.oaspapps.com, wordcs.officeapps.live.com, www.bing.com TCP: 443, 80
95 Default
Optional
Notes: Outlook for Android and iOS		 No *.acompli.net, *.outlookmobile.com TCP: 443
96 Default
Optional
Notes: Outlook for Android and iOS: Authentication		 No *.manage.microsoft.com, api.office.com, go.microsoft.com, login.windows-ppe.net, secure.aadcdn.microsoftonline-p.com, vortex.data.microsoft.com TCP: 443
97 Default
Optional
Notes: Outlook for Android and iOS: Consumer Outlook.com and OneDrive integration		 No account.live.com, apis.live.net, auth.gfx.ms, login.live.com TCP: 443
98 Default
Optional
Notes: Outlook for Android and iOS: Google integration		 No accounts.google.com, mail.google.com, www.googleapis.com TCP: 443
99 Default
Optional
Notes: Outlook for Android and iOS: Yahoo integration		 No api.login.yahoo.com, social.yahooapis.com TCP: 443
100 Default
Optional
Notes: Outlook for Android and iOS: DropBox integration		 No api.dropboxapi.com, www.dropbox.com TCP: 443
101 Default
Optional
Notes: Outlook for Android and iOS: Box integration		 No app.box.com TCP: 443
102 Default
Optional
Notes: Outlook for Android and iOS: Facebook integration		 No graph.facebook.com, m.facebook.com TCP: 443
103 Default
Optional
Notes: Outlook for Android and iOS: Evernote integration		 No www.evernote.com TCP: 443
104 Default
Optional
Notes: Outlook for Android and iOS: WunderList integration		 No a.wunderlist.com, www.wunderlist.com TCP: 443
105 Default
Optional
Notes: Outlook for Android and iOS: Outlook Privacy		 No bit.ly, www.acompli.com TCP: 443
106 Default
Optional
Notes: Outlook for Android and iOS: User voice integration		 No by.uservoice.com, outlook.uservoice.com TCP: 443
107 Default
Optional
Notes: Outlook for Android and iOS: Log upload integration		 No api.diagnostics.office.com TCP: 443
109 Default
Optional
Notes: Outlook for Android and iOS: Flurry log integration		 No data.flurry.com TCP: 443
110 Default
Optional
Notes: Outlook for Android and iOS: Adjust integration		 No app.adjust.com TCP: 443
111 Default
Optional
Notes: Outlook for Android and iOS: Hockey log integration		 No rink.hockeyapp.net, sdk.hockeyapp.net TCP: 443
112 Default
Optional
Notes: Outlook for Android and iOS: Helpshift integration		 No acompli.helpshift.com TCP: 443
113 Default
Optional
Notes: Outlook for Android and iOS: Play Store integration (Android only)		 No play.google.com TCP: 443
114 Default
Optional
Notes: Office Mobile URLs		 No *.appex.bing.com, *.appex-rf.msn.com, *.itunes.apple.com, c.bing.com, c.live.com, cl2.apple.com, client.hip.live.com, d.docs.live.net, directory.services.live.com, docs.live.net, en-us.appex-rf.msn.com, foodanddrink.services.appex.bing.com, odcsm.officeapps.live.com, office.microsoft.com, officeimg.vo.msecnd.net, partnerservices.getmicrosoftkey.com, roaming.officeapps.live.com, sas.office.microsoft.com, signup.live.com, view.atdmt.com, watson.telemetry.microsoft.com, weather.tile.appex.bing.com TCP: 443, 80
115 Default
Optional
Notes: Outlook for Android and iOS: Meetup integration		 No api.meetup.com, secure.meetup.com TCP: 443
116 Default
Optional
Notes: Office for iPad URLs		 No account.live.com, auth.gfx.ms, c.bing.com, c.live.com, cl2.apple.com, client.hip.live.com, directory.services.live.com, docs.live.net, en-us.appex-rf.msn.com, foodanddrink.services.appex.bing.com, go.microsoft.com, login.live.com, office.microsoft.com, officeimg.vo.msecnd.net, p100-sandbox.itunes.apple.com, partnerservices.getmicrosoftkey.com, roaming.officeapps.live.com, sas.office.microsoft.com, signup.live.com, view.atdmt.com, watson.telemetry.microsoft.com, weather.tile.appex.bing.com TCP: 443, 80
117 Default
Optional
Notes: Yammer		 No *.yammer.com, *.yammerusercontent.com TCP: 443
118 Default
Optional
Notes: Yammer CDN		 No *.assets-yammer.com TCP: 443
119 Default
Optional
Notes: Planner		 No tasks.office.com TCP: 443
120 Default
Optional
Notes: Planner CDNs		 No ajax.aspnetcdn.com TCP: 443
121 Default
Optional
Notes: Planner: auxiliary URLs		 No www.outlook.com TCP: 443, 80
122 Default
Optional
Notes: Sway CDNs		 No eus-www.sway-cdn.com, eus-www.sway-extensions.com, wus-www.sway-cdn.com, wus-www.sway-extensions.com TCP: 443
123 Default
Optional
Notes: Sway website analytics		 No www.google-analytics.com TCP: 443
124 Default
Optional
Notes: Sway		 No sway.com, sway.office.com, www.sway.com TCP: 443
125 Default
Required		 No *.entrust.net, *.geotrust.com, *.omniroot.com, *.public-trust.com, *.symcb.com, *.symcd.com, *.verisign.com, *.verisign.net, aia.entrust.net, apps.identrust.com, cacert.a.omniroot.com, cacert.omniroot.com, cacerts.digicert.com, cdp1.public-trust.com, cert.int-x3.letsencrypt.org, crl.entrust.net, crl.globalsign.com, crl.globalsign.net, crl.identrust.com, crl.microsoft.com, crl3.digicert.com, crl4.digicert.com, evintl-aia.verisign.com, evintl-crl.verisign.com, evintl-ocsp.verisign.com, evsecure-aia.verisign.com, evsecure-crl.verisign.com, evsecure-ocsp.verisign.com, isrg.trustid.ocsp.identrust.com, mscrl.microsoft.com, ocsp.digicert.com, ocsp.entrust.net, ocsp.globalsign.com, ocsp.int-x3.letsencrypt.org, ocsp.msocsp.com, ocsp.omniroot.com, ocsp2.globalsign.com, ocspx.digicert.com, s1.symcb.com, s2.symcb.com, sa.symcb.com, sd.symcb.com, secure.globalsign.com, sr.symcb.com, sr.symcd.com, su.symcb.com, su.symcd.com, vassg142.crl.omniroot.com, vassg142.ocsp.omniroot.com, www.digicert.com, www.microsoft.com TCP: 443, 80
126 Default
Optional
Notes: Connection to the speech service is required for Office Dictation features. If connectivity is not allowed, Dictation will be disabled.		 No officespeech.platform.bing.com TCP: 443
128 Default
Optional
Notes: Blocking this endpoint will affect Office 365 ProPlus and other Click-to-Run deployment features in including deployment via Configuration Manager and Intune as well as Office policy management.		 No *.manage.microsoft.com, *.officeconfig.msocdn.com, config.office.com TCP: 443
130 Default
Required		 No *.loki.delve.office.com, loki.delve.office.com, loki.delve-gcc.office.com, lpcres.delve.office.com TCP: 443
147 Default
Required		 No *.office.com TCP: 443, 80
148 Default
Required		 No cdnprod.myanalytics.microsoft.com, myanalytics.microsoft.com, myanalytics-gcc.microsoft.com TCP: 443, 80
149 Default
Required		 No workplaceanalytics.cdn.office.net, workplaceanalytics.office.com TCP: 443, 80

Note

For recommendations on Yammer IP addresses and URLs, see this blog post.

Managing Office 365 endpoints

Troubleshooting Office 365 connectivity

Client connectivity

Content delivery networks

Microsoft Azure Datacenter IP Ranges

Microsoft Public IP Space