Office 365 URLs and IP address ranges
Summary: Office 365 requires connectivity to the Internet. The endpoints below should be reachable for customers using Office 365 plans, including Government Community Cloud (GCC).
Office 365 Worldwide (+GCC) | Office 365 operated by 21 Vianet | Office 365 Germany | Office 365 U.S. Government DoD | Office 365 U.S. Government GCC High |
| Last updated: 3/1/2018 - | Download: all required and optional destinations in one XML formatted list. | Use: our proxy PAC files |
Start with managing Office 365 endpoints to understand our recommendations. Except for emergency changes, endpoints are updated at the end of each month.
Please read each service introduction for more info. Wildcards represent all levels under the root domain and we use N/A when information is not available. Destinations are listed with FQDN/domain only, CIDR prefixes only, or a pairing of FQDNs that represent specific CIDR prefixes along with port information. Use our PAC files to implement the principles below.
-
Bypass your proxy for all FQDN/CIDR paired and CIDR prefix only destinations, such as row 2 and 3 in portal and shared.
-
Bypass your proxy or remove inspection, authentication, reputation lookup services for any FQDNs marked required without a CIDR prefix, such as row 5 in portal and shared.
-
For any remaining optional FQDNs, wildcards, DNS, CDN, CRL, or other unpublished destinations requested by Office 365 services, ensure clients can access them over the Internet.
| Available over Internet & ExpressRoute circuits: shared services | authentication | Office Online | Exchange Online | Exchange Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics CRM IP | Dynamics CRM URI | Power BI | Available over Internet circuits only: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients | Microsoft Intune | Microsoft PowerApps | Microsoft Flow |
Office 365 portal and shared
Every Office 365 service depends on the required endpoints in the Office 365 portal and shared and Office 365 authentication and identity sections to function. To use any Office 365 services, you must be able to connect to the endpoints marked required in the table below.
Portal and shared FQDNs
Office 365 shared services are requested from browsers, clients, and servers and requires the authenticated user to be passed. Destinations with a yes in the ExpressRoute for Office 365 BGP Communities column are advertised over ExpressRoute and the Internet.
| Row | Purpose | Destination | ExpressRoute for Office 365 BGP Communities | CIDR Address | Port |
|---|---|---|---|---|---|
| 1 | Required: Internet egress and DNS resolution as close to the user as possible. Ensure public resources such as certificate revocation lists are accessible. | see well known certificate root CRLs in the table below. and Office 365 certificate chains for more information. | no | N/A | TCP 80 & 443 |
| 2 | Required: Office 365 portal | | no2 | TCP 443 | |
| 3 | Required: Office 365 portal and shared infrastructure (including Cloud App Security and Delve) | | yes | TCP 443 | |
| 4 | Required: Office 365 Aria service (used with Skype for Business Online, Microsoft Teams, StaffHub, Outlook App, and other services). | | yes | TCP 443 | |
| 5 | Required: Office 365 portal (including shared telemetry) | | no | portal and shared IP ranges - Internet-only IPs. | TCP 443 |
| 6 | Required: shared infrastructure, help, and CDNs | | no | N/A | TCP 443 |
| 7 | Required: Security and Compliance Center including audit APIs | | yes | TCP 443 | |
| 8 | Optional: Security and Compliance Center advanced eDiscovery. | | no | N/A | TCP 443 |
| 9 | Optional: Security and Compliance Center eDiscovery export | | no | N/A | TCP 443 |
| 10 | Optional: 3rd party office integration. (including CDNs) | | no | N/A | TCP 443 |
| 11 | Optional: some Office 365 features require endpoints within these domains. (including CDNs) Note: Many specific FQDNs within these wildcards have been published recently as we work to either remove or better explain our guidance relating to these wildcards. | | no2 | N/A | TCP 80 & 443 |
| 12 | Optional: Microsoft Azure RemoteApp | | no | N/A | TCP 443 |
| 13 | Optional:
| | no | N/A | TCP 443 |
| 14 | Optional: Import Service for PST and file ingestion | refer to the import service for additional requirements. | |||
| 15 | Optional: Remote Connectivity Analyzer - Initiate connectivity tests. | | no | | TCP 80 & 443 |
| 16 | Optional: Remote Connectivity Analyzer - Execution of the tests selected by the customer. source of network requests: testconnectivity.microsoft.com | on-premises systems for email and collaboration. | no | customer IP ranges | 80, 443, 25, POP3 on (110, 995, or Custom), IMAP4 on (143, 993, or Custom) |
| 17 | Optional: Microsoft Support and Recover Assistant for Office 365 - validate single sign-on user credentials. Source:
| on-premises STS | no | customer IP ranges | customer configurable. Typically TCP 443 |
1Keep in mind that Machine accounts won't work with proxies that require outbound authentication.
2 There are specific sub-FQDNs within this domain that are available on ExpressRoute, learn more by reading the section, Deciding which applications and features route over ExpressRoute.
Note: The domains and nodes that the wildcards such as *.office365.com & *.portal.cloudappsecurity.com represent are a list of application, functional, and regional domains and nodes used for the Office 365 suite. Some are dynamically assigned and all of these sub-domains and nodes are subject to change at any time as the service improves. Other wildcards such as *.office.com, *.office.net, *.onmicrosoft.com, *.microsoft.com, & *.msocdn.com are used to capture the long list of shared Microsoft-wide services that Office 365 relies on at times and can be treated as general Internet traffic where a specific FQDN is not defined. The wildcards used in the advanced eDiscovery service such as equivioprod*.cloudapp.net and zoom-cs-prod*.cloudapp.net represent a long list of FQDNs such as equivioprod-4.cloudapp.net.
Expand to see the portal and shared IP Addresses
| Office 365 portal and shared IPv4 endpoints routable through the Internet and ExpressRoute | Office 365 portal and shared IPv4 endpoints routable through the Internet only | Office 365 portal and shared IPv6 endpoints routable through the Internet only |
| | |
Expand to see Azure Rights Management (RMS)
The endpoints listed in this section are required if you're using Azure Rights Management. Requests originate from browsers, clients, and servers and requires the authenticated user to be passed. In addition to the suite-wide FQDNs, CDNs, and telemetry listed above, you'll need to also add these endpoints. Azure RMS requires port 443 for all communications, does not rely on CDNs, has no published IP addresses, and is not accessible over ExpressRoute for Office 365.
For additional networking requirements, see the Firewalls and network infrastructure requirements for Azure Information Protection.
| Row | Purpose | Destination |
|---|---|---|
| 1 | Required: suite-wide services | see Office 365 required entries for shared services and authentication |
| 2 | Required: Azure Rights Management (RMS) | |
| 3 | Optional: Azure Rights Management (RMS) | *.cloudapp.net1 |
| 4 | Optional: Rights Management connector Source of network requests: On-premises server | *.aadrm.com |
1Azure Rights Management Office 2010 Clients Only.
Note: The domains and nodes that the wildcards such as *.aadrm.com & *.azurerms.com represent are a list of application, functional, and regional domains and nodes used for rights management functionality. Some are dynamically assigned and all of these sub-domains and nodes are subject to change at any time as the service improves.
Expand to see the Certificate Revocation List FQDNs
See our article on the Office 365 certificate chains for a more detailed view of the certificate chains including downloadable p7b.
| Office 365 Certificate Revocation List (Root URLs) |
|
Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics CRM IP | Dynamics CRM URI | Power BI
Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients | Microsoft Intune | Microsoft PowerApps | Microsoft Flow
Office 365 authentication and identity
Every Office 365 service depends on the required endpoints in the Office 365 portal and shared and Office 365 authentication and identity sections to function. To use any Office 365 services, you must be able to connect to the endpoints marked required in the table below. If your organization uses Azure AD Connect AAD Connect, AD FS, or Multi-factor authentication, you'll find the associated endpoints below. All IP addresses entered directly in the Destination IP column are also listed in the IP tables and XML file for your convenience.
Authentication and identity FQDNs
If you're using Active Directory Federation Services (AD FS) with your deployment, you can also use AD FS client access policies with Windows Server 2012 R2 or client access policies with AD FS 2.0 to further restrict and control access to Office 365. Destinations with a yes in the ExpressRoute for Office 365 BGP Communities column are advertised over ExpressRoute and the Internet.
The FQDN secure.aadcdn.microsoftonline-p.com needs to be in your client's IE Trusted Sites Zone to function.
| Row | Purpose | Source | Credentials | Destination | ExpressRoute for Office 365 BGP Communities | CIDR Address | Port |
|---|---|---|---|---|---|---|
| 1 | Required: Certificate revocation lists | |||||
| 2 | Required: authentication and identity including Graph (Graph.Microsoft.com) | client or server / logged on user | | yes | TCP 80 & 443 | |
| 3 | Required: authentication and identity | client or server / logged on user | | yes | TCP 80 & 443 | |
| 4 | Required: authentication and identity | client or server / logged on user | | no | N/A | TCP 443 |
| 5 | Optional: Legacy/temporary FQDNs (including CDNs) | client or server / logged on user | | no | N/A | TCP 443 |
| 6 | Required: Multi-factor authentication (MFA) | client or server / logged on user | | no | | TCP 443 |
| 7 | Optional: Azure AD Connect and DirSync | Azure AD Connect server | Service Account | | yes | TCP 443 | |
| 8 | Optional: Azure AD Connect and DirSync | Azure AD Connect server | Service Account | | no | N/A | TCP 80 & 443 |
| 9 | Optional: Azure AD Connect (w/SSO option) – WinRM & remote powershell | client or server / logged on user | customer STS environment (AD FS Server and AD FS Proxy) | Ports TCP 80 & 443 | no | customer environment | TCP 80 & 443 |
| 10 | Optional: STS such as AD FS Proxy server(s) (for federated customers only) | client or server / N/A | customer STS (such as AD FS Proxy) | Ports TCP 443 or TCP 49443 w/ClientTLS | no | customer environment | TCP 443 or TCP 49443 w/ClientTLS |
| 11 | Optional: AD FS Proxy server(s) (for federated customers only) | customer AD FS Proxy (WAP) | N/A | customer AD FS server (FS) | Port TCP 443 | no | customer environment | TCP 443 |
| 12 | Optional: Azure AD Connect Health (including CDNs) *.servicebus.windows.net uses TCP 5671 (If 5671 is blocked, agent falls back to 443, but using 5671 is recommended.) | Azure AD Connect Health server | Service Account | | no | N/A | TCP 443 |
| 13 | Optional: Azure AD Connect Health | Azure AD Connect Health server | Service Account | | yes | TCP 443 |
Note: The sub-FQDN login.windows.net is advertised via Expressroute and included in the office 365 BGP communities. Also keep in mind that Machine accounts won't work with proxies that require outbound authentication.
Expand to see the authentication and identity IP Addresses
| Office 365 authentication and identity IPv4 endpoints routable through the Internet and ExpressRoute | Office 365 authentication and identity IPv6 endpoints routable through the Internet only |
| |
Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics CRM IP | Dynamics CRM URI | Power BI
Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients | Microsoft Intune | Microsoft PowerApps | Microsoft Flow
Office Online
Office Online FQDNs
Every Office 365 service depends on the required endpoints in the Office 365 portal and shared and Office 365 authentication and identity sections to function. To use Office Online, you must be able to connect to the endpoints marked required in the table below. Destinations with a yes in the ExpressRoute for Office 365 BGP Communities column are advertised over ExpressRoute and the Internet.
Office Online is only available in the browser and requires the authenticated user to be passed through any proxies. Office Online only requires TCP Port 443. In addition to the suite-wide FQDNs, CDNs, and telemetry listed above, you'll need to also add these endpoints.
| Row | Purpose | Destination | ExpressRoute for Office 365 BGP Communities | CIDR Address |
|---|---|---|---|---|
| 1 | Required: suite-wide services | see Office 365 required entries for shared services and authentication | ||
| 2 | Required: Office Online | | yes | |
| 3 | Required: Content Delivery Network for Office Web Apps | | no | N/A |
Note: The domains and nodes that the wildcards such as *visio.officeapps.live.com represent are a list of 20+ regional nodes. Similarly, the wildcard in the *.cdn.office.net entry represents a collection of application, functional, and regional domains and nodes used only by Office Online. All of these sub-domains and nodes are subject to change at any time as the service improves.
Expand to see the Office Online IP Addresses
| Office Web Apps IPv4 endpoints routable through the Internet and ExpressRoute | Office Web Apps IPv6 endpoints routable through the Internet only |
| |
Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics CRM IP | Dynamics CRM URI | Power BI
Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients | Microsoft Intune | Microsoft PowerApps | Microsoft Flow
Exchange Online
Exchange Online FQDNs
Every Office 365 service depends on the required endpoints in the Office 365 portal and shared and Office 365 authentication and identity sections to function. To use Exchange Online, including mail retrieval, OWA, Unified Messaging, and so on, you must be able to connect to the endpoints marked required below. If your organization uses Exchange Hybrid or is migrating email to Office 365, you'll find the associated endpoints below.
Destinations with a yes in the ExpressRoute for Office 365 BGP Communities column are advertised over ExpressRoute and the Internet with the exception of *.outlook.com, there are specific sub-FQDNs within this domain, such as the CNAME xsi.outlook.com which refers to a CDN that have no published IPs and are not available over ExpressRoute, there are other sub-domains that are available on ExpressRoute, learn more by reading the section, Deciding which applications and features route over ExpressRoute.
Note: For customers running the Exchange Hybrid configuration wizard, rows 7-10 are not optional.
| Row | Purpose | Source | Credentials | Destination | ExpressRoute for Office 365 BGP Communities | CIDR Address | Port |
|---|---|---|---|---|---|---|
| 1 | Required: suite-wide services | see Office 365 required entries for shared services and authentication | ||||
| 2 | Required: EOP services | |||||
| 3 | Required: client SMTP Relay | client computer | logged on user | | yes | TCP 587 | |
| 4 | Required: Exchange Online (including OWA, Outlook, EWS, MRS migrations, and so on). | client or on-premises Exchange server | logged on user or machine account | | yes | TCP 80 & 443 | |
| 5 | Required: Exchange Online CDNs (including OWA, Outlook, and so on). | client or server | logged on user | | no | N/A | TCP 80 & 443 |
| 6 | Optional: Exchange Online Unified Messaging/SBC integration. | on-premises Session Border Controller | | no | Note: These IP addresses are provided for informational purposes and are not included in the XML. | Any-TCP/UDP (Bidirectional for inbound, calls , MWI) |
| 7 | Optional: Exchange Hybrid co-existence functions such as Free/Busy sharing. | customer on-premises Exchange | yes | Customer IP | TCP 443 | |
| 8 | Optional: Exchange Hybrid proxy authentication | customer on-premises STS | yes | Customer IP | TCP 443 (+ TCP 49443 for cert based authentication) | |
| 9 | Optional: used to configure Exchange Hybrid, using the Exchange Hybrid Configuration Wizard. Note: These endpoints are only required to configure Exchange hybrid. Rows 8-10 describe the ongoing traffic. | existing Exchange service | N/A | See http://Aka.ms/hybridwizard. For early adopters (TAP), see http://aka.ms/tapHCW. | no | N/A | TCP 80 & 443 |
| 10 | Optional: used to configure Exchange Hybrid, using the Exchange Hybrid Configuration Wizard. Note: These endpoints are only required to configure Exchange hybrid. Rows 8-10 describe the ongoing traffic. | existing Exchange service | N/A | domains.live.com1 | yes | Note: These IP addresses are provided for informational purposes and are not included in the XML. | TCP 80 & 443 |
| 11 | Optional: Exchange Online IMAP4 migration | IMAP4 Service | N/A | | yes | TCP 143/993 | |
| 12 | Optional: Exchange Online POP3 migration | POP3 Service | N/A | | yes | TCP 995 |
1 Only required for Exchange 2010 SP3 Hybrid Configuration Wizard.
Note: The domains and nodes that the wildcards such as *.outlook.office.com & *.um.outlook.com represent are a list of application, functional, and regional domains and nodes used for Exchange Online functionality. Some are dynamically assigned and all of these sub-domains and nodes are subject to change at any time as the service improves. The domains and nodes that the wildcard *.outlook.com represents include sub-domains and nodes for Exchange Online functionality, 3rd party CDNs for Exchange Online such as xsi.outlook.com, and sub-domains that other parts of o365 use.
Expand to see the Exchange Online IP Addresses
| Exchange Online IPv4 endpoints routable through the Internet and ExpressRoute | Exchange Online IPv6 endpoints routable through the Internet only |
| |
Exchange Online Protection FQDNs
To use Exchange Online Protection as a stand alone service or as the SMTP engine with Exchange Online, you must be able to connect to the endpoints marked required below. Note the EOP SMTP IP addresses are linked to in row 2, 3, & 4 instead of being listed directly on this page. In addition to the suite-wide FQDNs, CDNs, and telemetry listed above, you'll need to also add these endpoints. All Exchange Online Protection endpoints are available over ExpressRoute and do not rely on a CDN.
| Row | Purpose | Source | Credentials | Destination | CIDR Address | Port |
|---|---|---|---|---|---|
| 1 | Required: suite-wide services. | see Office 365 required entries for shared services and authentication | |||
| 2 | Required: EOP | client or server / logged on user | *.protection.outlook.com | TCP 443 | |
| 3 | Required: send SMTP email | existing email environment | N/A | <customer domain-key>.mail.protection.outlook.com | TCP 25 | |
| 4 | Required: receive SMTP email | see Exchange Online Protection IP Addresses | N/A | customer email environment | customer email environment | TCP 25 |
Note: The domains and nodes that the wildcards such as *.protection.outlook.com represent are a list of application, functional, and regional domains and nodes used for mail delivery, security, and compliance functionality. Some are dynamically assigned and all of these sub-domains and nodes are subject to change at any time as the service improves.
Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics CRM IP | Dynamics CRM URI | Power BI
Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients | Microsoft Intune | Microsoft PowerApps | Microsoft Flow
Skype for Business Online
Skype for Business Online FQDNs
To use Skype for Business online, ensure both the FQDN and IP Address endpoints listed in the Skype for Business Online tables below are reachable. These tables are updated regularly as Microsoft works to build out its network to increase reliability and performance. Please be sure to subscribe to changes in this documentation to insure changes are incorporated in your networking configuration.
The IP Address endpoints listed in the Skype for Business online IP Addresses includes IP's required for both Skype for Business online and Teams. If your company also wants to use Microsoft Teams, there is no extra work required as long as you whitelist all the IPs in this section. The FQDN endpoints listed in the Skype for Business online FQDNs only covers those FQDNs that are required for Skype for Business online. If your company wants to use Microsoft Teams, you need to add the FQDNs for Microsoft Teams listed in the Microsoft Teams section. Destinations with a yes in the ExpressRoute for Office 365 BGP Communities column are advertised over ExpressRoute and the Internet.
To use Skype for Business Online, you must first enable endpoints for authentication as well as the Office 365 portal and shared service. You must also ensure the endpoints in the Skype for Business Online FQDN and IP Address tables are reachable. To see the IP addresses, expand the IP address section below the table describing the traffic flow. Keep in mind that wildcards represent all possible sub-domains under the root.
| Row | Purpose | Source | Credentials | Destination | ExpressRoute for Office 365 BGP Communities | CIDR Address | Port |
|---|---|---|---|---|---|---|
| 1 | Required: suite-wide services. | see Office 365 required entries for shared services, authentication, and Office Online | ||||
| 2 | Required: Skype for Business. Including SIP signaling, Persistent Shared Object Model (PSOM) connections web conferencing, HTTPS downloads, and Call Quality Dashboard | client computer | logged on user | | yes | TCP 443 | |
| 3 | Required: Audio, Video, & Desktop sharing | client computer | logged on user | | yes | TCP 443, UDP 3478, 3479, 3480, & 3481 Optional: TCP & UDP 50,000-59,999 | |
| 4 | Required: Lync Mobile push notifications for Lync Mobile 2010 on iOS devices. You don't need this for Android, Nokia Symbian or Windows Phone mobile devices. | client computer | logged on user | | yes | TCP 5223 | |
| 5 | Required: Skype for Business CDNs | client computer | logged on user | | no | N/A | TCP 80 & 443 |
| 6 | Required: Skype client quicktips & OWA integration | client computer | logged on user | | no | N/A. | TCP 443 |
| 7 | Optional: Federation with Skype and public IM connectivity: Contact picture retrieval | client computer | logged on user | | no | TCP 443 |
To use Skype Meeting Broadcast, the following endpoints need to be accessible to client computers.
| Row | Purpose | Source |Credentials | Destination | ExpressRoute for Office 365 BGP Communities | CIDR Address | Port |
|---|---|---|---|---|---|---|
| 1 | Required: Skype for Business endpoints. | see Skype for Business Online and ensure all entries labeled "required" are accessible. | ||||
| 2 | Required: Skype Meeting Broadcast presenter and attendee | client computer / logged on user | | yes | TCP 443 | |
| 3 | Required: Skype Meeting Broadcast presenter and attendee | client computer / logged on user | | no | N/A | TCP 443 |
| 4 | Required: Skype Meeting Broadcast presenter and attendee (including CDNs) | client computer / logged on user | | no | N/A | TCP 443 |
Notes:
-
The domains and nodes that the wildcards such as *.lync.com, *.config.skype.com, *.broadcast.skype.com, *.skypeforbusiness.com, *.sfbassets.com, & *.urlp.sfbassets.com represent are a list of application, functional, and regional domains and nodes used for Skype for Business Online functionality. Some are dynamically assigned and all of these sub-domains and nodes are subject to change at any time as the service improves.
-
The wildcards for mediaservices.windows.net represents a list of media services endpoints associated with Azure Media Services where video content is pulled from. These endpoints are available via the internet and Azure Public peering. The wildcard for msecnd.net represents a dynamically generated endpoint within the CDN that join page libraries are pulled from.
Expand to see the Skype for Business Online IP Addresses
| Skype for Business Online IPv4 endpoints routable through the Internet and ExpressRoute | Skype for Business Online IPv6 endpoints routable through the Internet only |
| |
Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics CRM IP | Dynamics CRM URI | Power BI
Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients | Microsoft Intune | Microsoft PowerApps | Microsoft Flow
Microsoft Teams
Microsoft Teams FQDNs
To use Microsoft Teams, ensure both the FQDN and IP Address endpoints listed in the Microsoft Teams tables below are reachable. These tables are updated regularly as Microsoft works to build out its network to increase reliability and performance. Please be sure to subscribe to changes in this documentation to insure changes are incorporated in your networking configuration. Destinations with a yes in the ExpressRoute for Office 365 BGP Communities column are advertised over ExpressRoute and the Internet.
If you are using Internet Explorer or Microsoft Edge, you need to enable first and third-party cookies and add the FQDNs for Teams to your Trusted Sites. This is in addition to the suite-wide FQDNs, CDNs, and telemetry listed above. See Known issues for Microsoft Teams for more information.
Wildcards represent regional installations of these services.
| Row | Purpose | Source |Credentials | Destination | ExpressRoute for Office 365 BGP Communities | CIDR Address | Port |
|---|---|---|---|---|---|---|
| 1 | Required: suite-wide services. | see Office 365 required entries for shared services, authentication, and Office Online | ||||
| 2 | Required: Microsoft Teams. | Client or Server / logged on user | | Yes | TCP 80 & 443 | |
| 3 | Required: Microsoft Teams collaboration | Client or Server / logged on user | | Yes | TCP 443 | |
| 4 | Required: Microsoft Teams media | Client or Server / logged on user | These IPs are used by media without explicit FQDN mappings. | Yes | | TCP 443 UDP 3478-3481 |
| 5 | Required: Microsoft Teams shared services | Client or Server / logged on user | | Yes | TCP 443 | |
| 6 | Required: Microsoft Teams shared services | Client or Server / logged on user | | No | N/A | TCP 443 |
| 7 | Required: Microsoft Teams shared services | Client or Server / logged on user | | No | N/A | TCP 443 |
| 8 | Optional: Messaging interop with Skype for Business | Client or Server / logged on user | | Yes | TCP 443 | |
| 9 | Optional: Messaging interop with Skype for Business (including CDNs) | Client or Server / logged on user | | No | N/A | TCP 443 |
| 10 | Optional: Skype Graph | Client or Server / logged on user | | No | TCP 443 | |
| 11 | Optional: Yammer third-party integration | Client or Server / logged on user | | No | N/A | TCP 80 or 443 |
Note: The domains and nodes that the wildcards such as *.teams.skype.com, *.teams.microsoft.com, *.config.skype.com, *.secure.skypeassets.com, & *.pipe.skype.com represent are a list of application, functional, and regional domains and nodes used for Microsoft Teams functionality. Some are dynamically assigned and all of these sub-domains and nodes are subject to change at any time as the service improves.
Expand to see the Microsoft Teams IP Addresses
| Microsoft Teams IPv4 endpoints routable through the Internet and ExpressRoute | Microsoft Teams IPv6 endpoints routable through the Internet only | |
| |
Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics CRM IP | Dynamics CRM URI | Power BI
Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients | Microsoft Intune | Microsoft PowerApps | Microsoft Flow
SharePoint Online and OneDrive for Business
To use SharePoint Online or OneDrive for Business, you must be able to connect to the endpoints marked required below. Destinations with a yes in the ExpressRoute for Office 365 BGP Communities column are advertised over ExpressRoute and the Internet.
SharePoint Online and OneDrive for Business FQDNs
All '.sharepoint.com' FQDNs with '<tenant>' in the FQDN need to be in your client's IE Trusted Sites Zone to function. In addition to the suite-wide FQDNs, CDNs, and telemetry listed above, you'll need to also add these endpoints.
| Row | Purpose | Source | Credentials | Destination | ExpressRoute for Office 365 BGP Communities | CIDR Address | Port |
|---|---|---|---|---|---|---|
| 1 | Required: suite-wide services, local egress, local DNS resolution, and CRLs. | see Office 365 required entries for shared services and authentication | ||||
| 2 | Required: Office Online. | see Office Online | ||||
| 3 | Required: SharePoint Online, OneDrive for Business, and associated applications. | client or server / logged on user | | yes | TCP 80 & 443 | |
| 4 | Required: CDNs for SharePoint Online and associated applications | client or server / logged on user | | no | N/A | TCP 80 & 443 |
| 5 | Required: OneDrive for Business | client or server / logged on user | | no | N/A | TCP 80 & 443 |
| 6 | Required: OneDrive for Business CDN and client verifcation | client or server / logged on user | | no | N/A | TCP 80 & 443 |
| 7 | Optional: OneDrive for Business: supportability, telemetry, APIs, and embedded email links | client or server / logged on user | | no | N/A | TCP 443 |
| 8 | Optional: SharePoint Hybrid Search - Endpoint to SearchContentService where the hybrid crawler feeds documents | The crawler on the on-prem SP authenticates to SCS as the tenant that does the feeding. | | no | N/A | TCP 443 |
| 9 | Optional: SharePoint Hybrid Search - Endpoint to SearchContentService to successfully authenticate to remote farm with OAuth authentication and authorization. | The Host Controller/Node Runner Account on the on-prem SP server. | | no | N/A | TCP 443 |
| 10 | Optional: SharePoint Hybrid Search - Required for onboarding script to connect to Office 365 Provisioning Web Services. | Global admin or equivalent credentials on the tenant for which Hybrid Search is being configured | | yes | TCP 443 |
Note: The domains and nodes that the wildcards such as *.sharepoint.com, *.sharepointonline.com, & *.svc.ms represent are a list of application, functional, and regional domains and nodes used by SharePoint Online. All of these sub-domains and nodes are subject to change at any time as the service improves.
Expand to see the SharePoint Online IP Addresses
| SharePoint Online IPv4 endpoints routable through the Internet and ExpressRoute | SharePoint Online IPv6 endpoints routable through the Internet only |
|---|---|
| |
Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics CRM IP | Dynamics CRM URI | Power BI
Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients | Microsoft Intune | Microsoft PowerApps | Microsoft Flow
Additional Office 365 services
Including Office 365 Video, Microsoft Stream, Planner, Sway, Yammer, and Office 365 ProPlus, and other client software. To use any of these services, in addition to the suite-wide FQDNs, CDNs, and telemetry listed above, you must be able to connect to the endpoints marked required in the tables below. The destination port is TCP 443 unless otherwise noted. None of the following services are advertised over Azure ExpressRoute for Office 365.
Yammer
Yammer is only available in the browser and requires the authenticated user to be passed through a proxy. All Yammer FQDNs need to be in your client's IE Trusted Sites Zone to function.
| Row | Purpose | Destination | CIDR Address |
|---|---|---|---|
| 1 | Required: suite-wide services | see Office 365 required entries for shared services and authentication | |
| 2 | Required: Yammer | | |
| 3 | Required: Yammer CDN | | N/A |
Note: The domains and nodes that the wildcards such as *.yammer.com, *.yammerusercontent.com, & *.assets-yammer.com represent are a list of application, functional, and regional domains and nodes used by Yammer. Some are dynamically assigned and all of these sub-domains and nodes are subject to change at any time as the service improves.
Planner
Planner is only available in the browser and requires the authenticated user to be passed through a proxy. In addition to the suite-wide FQDNs, CDNs, and telemetry listed above, you'll need to also add these endpoints.
| Row | Purpose | Destination | CIDR Address |
|---|---|---|---|
| 1 | Required: suite-wide services | see Office 365 required entries for shared services and authentication | |
| 2 | Required: Planner | | |
| 3 | Required: Planner CDNs | | N/A |
Sway
Sway is only available in the browser and requires the authenticated user to be passed through a proxy. In addition to the suite-wide FQDNs, CDNs, and telemetry listed above, you'll need to also add these endpoints.
| Row | Purpose | Destination |
|---|---|---|
| 1 | Required: suite-wide services | see Office 365 required entries for shared services and authentication |
| 2 | Required: Sway | |
| 3 | Required: Sway CDNs | |
| 4 | Optional: Sway website analytics | |
| 5 | Optional: Sway third party content | access to third party content such as Bing, Flickr, and so on |
Note: Instead of a wildcard, we've listed every regional and functional FQDN for Sway to help convey what the other regional, application, and functional wildcards represent for endpoints published in this article.
Office 365 Video and Microsoft Stream
Office 365 Video and Microsoft Stream are only available in the browser and requires the authenticated user to be passed through a proxy. CIDR formatted IP addresses are not available for either Office 365 Video or Microsoft Stream.
| Row | Purpose | Destination |
|---|---|---|
| 1 | Required: suite-wide services | see Office 365 required entries for shared services and authentication |
| 2 | Required: SharePoint Online endpoints listed above as required | |
| 3 | Required: Office 365 Video (using Azure Media Services including CDNs associated with Azure Media Services) | |
| 4 | Required: Office 365 Video CDNs | |
| 5 | Required: Microsoft Stream. (needs the AAD user token) | |
| 7 | Required: Microsoft Stream - unauthenticated (content is encrypted) (using Azure Media Services including CDNs associated with Azure Media Services) | |
| 8 | Required: Microsoft Stream CDN | |
| 9 | Optional: Microsoft Stream 3rd party integration (including CDNs) | |
Note: The nodes that the wildcards such as *.keydelivery.mediaservices.windows.net & *.streaming.mediaservices.windows.net represent are dynamic entries for video storage and retrieval.
Office 2016 for Mac, Office 365 ProPlus, and mobile clients
| Row | Purpose | Destination |
|---|---|---|
| 1 | Office 2016 for Mac | To understand Office 2016 for Mac endpoint requirements, refer to our reference article Network requests in Office 2016 for Mac. |
| 2 | Office 365 ProPlus and Mobile clients | To understand Office client network requests including, Office 365 ProPlus, Office 2016 for Windows, Outlook App for iOS and Windows, and OneNote refer to the article Network requests in Office and Mobile clients. |
How are changes to this page made and how can I be notified?
Office 365 endpoints are published at the end of each month with 30 days notice. Occasionally emergency changes will occur outside of the end of month publishing or with shorter notice periods. When an endpoint is added, the effective date listed in the RSS feed is the date after which network requests will be sent to the endpoint. If you're new to RSS, here is how to subscribe via Outlook or you can have the RSS feed updates emailed to you.
How to use the ExpressRoute for Office 365 column
The endpoints listed as a Yes in the ExpressRoute for Office 365 column are available both over the internet and over ExpressRoute with Microsoft peering configured. Some services that Office 365 leverages are also available with Public peering configured and those are noted here; however, Public peering is not required to use ExpressRoute with Office 365 for the Office 365 applications supported over ExpressRoute.
Want to provide feedback about Office 365 endpoints?
There's a lot of information on this page, can we present it to you in a simpler way?
Please consider voicing your thoughts at the bottom of this page, under the heading Was this information helpful? Click yes or no and enter detailed feedback. The more feedback we get from you the easier it will be for us to improve the page.
Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics CRM IP | Dynamics CRM URI | Power BI
Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients | Microsoft Intune | Microsoft PowerApps | Microsoft Flow
Here's a short link you can use to come back: https://aka.ms/o365endpoints
| |
New to Office 365?Related Topics
Network connectivity to Office 365
Managing Office 365 endpoints
Troubleshooting Office 365 connectivity
Client connectivity
Content delivery networks
Microsoft Azure Datacenter IP Ranges
Microsoft Public IP Space
Stacydoe.com is the place where you can buy vouchers, coupons for all advertisement needs of online advertising.
ReplyDelete