Microsoft 365 URLs and IP address ranges

46 allow
require Yes *.officeapps.live.com, *.online.office.com, office.live.com
13.107.6.171/32, 13.107.18.15/32, 13.107.140.6/32, 52.108.0.0/14, 52.244.37.168/32, 2603:1006:1400::/40, 2603:1016:2400::/40, 2603:1026:2400::/40, 2603:1036:2400::/40, 2603:1046:1400::/40, 2603:1056:1400::/40, 2603:1063:2000::/38, 2620:1ec:c::15/128, 2620:1ec:8fc::6/128, 2620:1ec:a92::171/128, 2a01:111:f100:2000::a83e:3019/128, 2a01:111:f100:2002::8975:2d79/128, 2a01:111:f100:2002::8975:2da8/128, 2a01:111:f100:7000::6fdd:6cd5/128, 2a01:111:f100:a004::bfeb:88cf/128 TCP : 443 , 80 47 default
require No *.office.net TCP : 443 , 80
UDP: 443 49 default
require No * .onenote.com TCP : 443 50 default
optional
note : OneNote notebook ( wildcard ) No *.microsoft.com TCP : 443 51 default
require No *cdn.onenote.net TCP : 443 53 default
require No ajax.aspnetcdn.com, apis.live.net, officeapps.live.com, www.onedrive.com TCP : 443 56 allow
require Yes *.auth.microsoft.com, *.msftidentity.com, *.msidentity.com, account.activedirectory.windowsazure.com, accounts.accesscontrol.windows.net, adminwebservice.microsoftonline.com, api.passwordreset.microsoftonline.com, autologon.microsoftazuread-sso.com, becws.microsoftonline.com, ccs.login.microsoftonline.com, clientconfig.microsoftonline-p.net, companymanager.microsoftonline.com, device.login.microsoftonline.com, graph.microsoft.com, graph.windows.net, login-us.microsoftonline.com, login.microsoft.com, login.microsoftonline-p.com, login.microsoftonline.com, login.windows.net, logincert.microsoftonline.com, loginex.microsoftonline.com, nexus.microsoftonline-p.com, passwordreset.microsoftonline.com, provisioningapi.microsoftonline.com
20.20.32.0/19 , 20.190.128.0/18 , 20.231.128.0/19 , 40.126.0.0/18 , 2603:1006:2000::/48 , 2603:1007:200::/48 , 2603:1016:1400::/48 , 2603:1017::/48 , 2603:1026:3000::/48 , 2603:1027:1::/48 , 2603:1036:3000::/48 , 2603:1037:1::/48 , 2603:1046:2000::/48 , 2603:1047:1::/48 , 2603:1056:2000::/48 , 2603:1057:2::/48 TCP : 443 , 80 59 default
require No *.hip.live.com, *.microsoftonline-p.com, *.microsoftonline.com, *.msauth.net, *.msauthimages.net, *.msecnd.net, *.msftauth.net, *.msftauthimages.net, *.phonefactor.net, enterpriseregistration.windows.net, policykeyservice.dc.ad.msft.net TCP : 443 , 80 64 allow
require Yes *.protection.office.com, *.security.microsoft.com, compliance.microsoft.com, defender.microsoft.com, protection.office.com, purview.microsoft.com, security.microsoft.com
13.107.6.192/32, 13.107.9.192/32, 2620:1ec:4::192/128, 2620:1ec:a92::192/128 TCP : 443 66 default
require No * .portal.cloudappsecurity.com TCP : 443 68 default
optional
Notes: Portal and shared: 3rd party office integration. (including CDNs) No firstpartyapps.oaspapps.com , prod.firstpartyapps.oaspapps.com.akadns.net , telemetryservice.firstpartyapps.oaspapps.com , wus-firstpartyapps.oaspapps.com TCP : 443 69 default
require No *.aria.microsoft.com, *.events.data.microsoft.com TCP : 443 70 default
require No * .o365weve.com , amp.azure.net , appsforoffice.microsoft.com , assets.onestore.ms , auth.gfx.ms , c1.microsoft.com , dgps.support.microsoft.com , docs.microsoft.com , msdn.microsoft.com , platform.linkedin.com , prod.msocdn.com , shellprod.msocdn.com , support.microsoft.com , technet.microsoft.com TCP : 443 71 default
require No *.office365.com TCP : 443 , 80 73 default
require No *.aadrm.com, *.azurerms.com, *.informationprotection.azure.com, ecn.dev.virtualearth.net, informationprotection.hosting.portal.azure.net TCP : 443 75 default
optional
Notes: Graph.windows.net, Office 365 Management Pack for Operations Manager, SecureScore, Azure AD Device Registration, Forms, StaffHub, Application Insights, captcha services No *.sharepointonline.com, dc.services.visualstudio.com, mem.gfx.ms, staffhub.ms, staffhubweb.azureedge.net TCP : 443 78 default
optional
Notes: Some Office 365 features require endpoints within these domains (including CDNs). Many specific FQDNs within these wildcards have been published recently as we work to either remove or better explain our guidance relating to these wildcards. No *.microsoft.com, *.msocdn.com, *.onmicrosoft.com TCP : 443 , 80 79 default
require No o15.officeredir.microsoft.com, officepreviewredir.microsoft.com, officeredir.microsoft.com, r.office.microsoft.com TCP : 443 , 80 83 default
require No activation.sls.microsoft.com TCP : 443 84 default
require No crl.microsoft.com TCP : 443 , 80 86 default
require No office15client.microsoft.com, officeclient.microsoft.com TCP : 443 89 default
require No go.microsoft.com TCP : 443 , 80 91 default
require No ajax.aspnetcdn.com, cdn.odc.officeapps.live.com TCP : 443 , 80 92 default
require No officecdn.microsoft.com, officecdn.microsoft.com.edgesuite.net, otelrules.azureedge.net TCP : 443 , 80 93 default
optional
note : ProPlus : auxiliary url No * .virtualearth.net , c.bing.net , ocos-office365-s2s.msedge.net , tse1.mm.bing.net , www.bing.com TCP : 443 , 80 95 default
optional
note : outlook for Android and ios No *.acompli.net, *.outlookmobile.com TCP : 443 96 default
optional
note : outlook for Android and ios: Authentication No login.windows-ppe.net TCP : 443 97 default
optional
note : outlook for Android and ios: Consumer Outlook.com and OneDrive integration No account.live.com, login.live.com TCP : 443 105 default
optional
note : outlook for Android and ios: Outlook Privacy No www.acompli.com TCP : 443 114 default
optional
Notes: Office Mobile URLs No *.appex-rf.msn.com, *.appex.bing.com, c.bing.com, c.live.com, d.docs.live.net, docs.live.net, partnerservices.getmicrosoftkey.com, signup.live.com TCP : 443 , 80 116 default
optional
Notes: Office for iPad URLs No account.live.com, auth.gfx.ms, login.live.com TCP : 443 , 80 117 default
optional
Notes: Yammer No *.yammer.com, *.yammerusercontent.com TCP : 443 118 default
optional
Notes: Yammer CDN No * .assets - yammer.com TCP : 443 121 default
optional
Notes: Planner: auxiliary URLs No www.outlook.com TCP : 443 , 80 122 default
optional
note : sway CDNs No eus-www.sway-cdn.com, eus-www.sway-extensions.com, wus-www.sway-cdn.com, wus-www.sway-extensions.com TCP : 443 124 default
optional
note : sway No sway.com, www.sway.com TCP : 443 125 default
require No *.entrust.net, *.geotrust.com, *.omniroot.com, *.public-trust.com, *.symcb.com, *.symcd.com, *.verisign.com, *.verisign.net, apps.identrust.com, cacerts.digicert.com, cert.int-x3.letsencrypt.org, crl.globalsign.com, crl.globalsign.net, crl.identrust.com, crl3.digicert.com, crl4.digicert.com, isrg.trustid.ocsp.identrust.com, mscrl.microsoft.com, ocsp.digicert.com, ocsp.globalsign.com, ocsp.msocsp.com, ocsp2.globalsign.com, ocspx.digicert.com, secure.globalsign.com, www.digicert.com, www.microsoft.com TCP : 443 , 80 126 default
optional
Notes: Connection to the speech service is required for Office Dictation features. If connectivity is not allowed, Dictation will be disabled. No officespeech.platform.bing.com TCP : 443 147 default
require No *.office.com, www.microsoft365.com TCP : 443 , 80 152 default
optional
note : These endpoint enable the Office Scripts functionality in office client available through the Automate tab and the Python in Excel functionality available through the Formulas tab . The Office Scripts feature can also be disabled through the Office 365 Admin portal . For admin control relate to Python in Excel , see Data security and Python in Excel . No *.microsoftusercontent.com TCP : 443 153 default
require No *.azure-apim.net, *.flow.microsoft.com, *.powerapps.com, *.powerautomate.com TCP : 443 156 default
require No *.activity.windows.com, activity.windows.com TCP : 443 158 default
require No *.cortana.ai TCP : 443 159 default
require No admin.microsoft.com TCP : 443 , 80 160 default
require No cdn.odc.officeapps.live.com , cdn.uci.officeapps.live.com TCP : 443 , 80 184 default
require No *.cloud.microsoft, *.static.microsoft, *.usercontent.microsoft TCP : 443 , 80
UDP: 443