Support - Office.com En-Us Article Office-365-URLs-and-IP PDF

Search Office help
Buy Office 365

Office
Sign in
Apps Products Resources
Install
Templates
Account
Support
Training
Admin
Office 365 enterprise

Plan for Office 365
Set up Office 365 services
Setup overview for enterprises
Configure services and applications
Release options in Office 365
Network planning and performance
URLs and IP address ranges
Office 365 integration
About Office 365 identity
Migrate data to Office 365
Azure integration
Domains
Deploy Office clients
Security & Compliance
Manage services
Hybrid environments
Health and support
Office 365 URLs and IP address ranges

Applies To: Office 365 Admin, Office 2016 for Mac
Summary: Office 365 requires connectivity to the Internet. The endpoints below should be reachable for
customers using Office 365 plans, including Government Community Cloud (GCC).
Office 365 Worldwide (+GCC) | Office 365 operated by 21 Vianet | Office 365 Germany | Office 365 U.S.
Government DoD | Office 365 U.S. Government GCC High |
Was this information helpful? Yes No

×
Office 365 portal and shared
Every Office 365 service depends on the required endpoints in the Office 365 portal and shared and Office
365 authentication and identity sections to function. To use any Office 365 services, you must be able to
connect to the endpoints marked required in the table below.
Portal and shared FQDNs

Office 365 shared services are requested from browsers, clients, and servers and requires the authenticated
user to be passed. Destinations with a yes in the ExpressRoute for Office 365 BGP Communities column
are advertised over ExpressRoute and the Internet.
Row Purpose Destination ExpressRoute CIDR Address Port

for Office
365 BGP
Communities
1 Required: Internet egress and see well known certificate root CRLs in the table no N/A TCP 80
DNS resolution as close to the below. and Office 365 certificate chains for more 443
user as possible. Ensure public information.
resources such as certificate
revocation lists are accessible.
*.office365.com 2
2 Required: Office 365 portal no portal and TCP 443
shared IP ranges
*.portal.cloudappsecurity.com
3 Required: Office 365 portal yes portal and TCP 443
*.us.portal.cloudappsecurity.com
and shared infrastructure *.eu.portal.cloudappsecurity.com shared IP ranges
(including Cloud App Security *.us2.portal.cloudappsecurity.com & Exchange
<tenant>.onmicrosoft.com
and Delve) Online IP ranges.
account.office.net
agent.office.net
apc.delve.office.com
aus.delve.office.com
can.delve.office.com
delve.office.com
eur.delve.office.com
gbr.delve.office.com
home.office.com
ind.delve.office.com
jpn.delve.office.com
kor.delve.office.com
lam.delve.office.com
nam.delve.office.com
portal.office.com
outlook.office365.com
suite.office.net
webshell.suite.office.com
www.office.com
*.aria.microsoft.com
4 Required: Office 365 aria yes Skype for TCP 443
browser.pipe.aria.microsoft.com
service (used with Skype for mobile.pipe.aria.microsoft.com Business IP
Business Onlnine, Microsoft ranges.
Teams, StaffHub, Outlook
App, and other services.

×
5 Required: Office 365 portal portal.microsoftonline.com no portal and TCP 443
clientlog.portal.office.com
(including shared telemetry) nexus.officeapps.live.com shared IP ranges
nexusrules.officeapps.live.com - Internet-only
IPs.
amp.azure.net
6 Required: shared no N/A TCP 443
auth.gfx.ms
infrastructure, help, and CDNs appsforoffice.microsoft.com
assets.onestore.ms
az826701.vo.msecnd.net
c.microsoft.com
c1.microsoft.com
client.hip.live.com
contentstorage.osi.office.net
dgps.support.microsoft.com
docs.microsoft.com
groupsapi-prod.outlookgroups.ms
groupsapi2-prod.outlookgroups.ms
msdn.microsoft.com
platform.linkedin.com
products.office.com
prod.msocdn.com
r1.res.office365.com
res.delve.office.com
shellprod.msocdn.com
support.content.office.net
support.microsoft.com
support.office.com
technet.microsoft.com
templates.office.com
video.osi.office.net
videocontent.osi.office.net
videoplayercdn.osi.office.net
*.manage.office.com
7 Required: Security and yes portal and TCP 443
*.protection.office.com
Compliance Center including manage.office.com shared IP ranges
audit APIs protection.office.com
equivioprod*.cloudapp.net
8 Optional: Security and no N/A TCP 443
equivio.office.com
Compliance Center advanced office365zoom.cloudapp.net
eDiscovery. zoom-cs-prod*.cloudapp.net
*.blob.core.windows.net
9 Optional: Security and no N/A TCP 443
Compliance Center
eDiscovery export
*.helpshift.com
10 Optional: 3rd party office no N/A TCP 443
*.localytics.com
integration. (including CDNs) analytics.localytics.com
api.localytics.com
connect.facebook.net
firstpartyapps.oaspapps.com
outlook.uservoice.com
prod.firstpartyapps.oaspapps.com.akadns.net
rink.hockeyapp.net
sdk.hockeyapp.net
telemetryservice.firstpartyapps.oaspapps.com
web.localytics.com
webanalytics.localytics.com

×
11 Optional: some Office 365 *.microsoft.com 2 N/A TCP 80
*.msocdn.com
no
features require endpoints *.office.com 443
within these domains. *.office.net
(including CDNs) *.onmicrosoft.com
Note: Many specific FQDNs within

these wildcards have been
published recently as we work to
either remove or better explain
our guidance relating to these
wildcards.
liverdcxstorage.blob.core.windowsazure.com
12 Optional: Microsoft Azure no N/A TCP 443
telemetry.remoteapp.windowsazure.com
RemoteApp vortex.data.microsoft.com
www.remoteapp.windowsazure.com
13 Optional: no N/A TCP 443
*.hockeyapp.net
*.sharepointonline.com
*.staffhub.office.com
Graph.windows.net
api.office.com
enterpriseregistration.windows.net
Office 365 Management dc.applicationinsights.microsoft.com
Pack for Operations dc.services.visualstudio.com
Manager forms.microsoft.com
forms.office.com
graph.windows.net
SecureScore manage.office.com
mem.gfx.ms
Azure AD Device office365servicehealthcommunications.cloudapp.net
Registration securescore.office.com
signup.microsoft.com
staffhub.ms
Forms staffhubweb.azureedge.net
staffhub.office.com
StaffHub staffhub.uservoice.com
weu-000.forms.osi.office.net
Application Insights wus-000.forms.osi.office.net
neu-000.forms.osi.office.net
eus2-000.forms.osi.office.net
captcha services
ea-000.forms.osi.office.net
watson.telemetry.microsoft.com
wu.client.hip.live.com
14 Optional: Import Service for refer to the import service for additional
PST and file ingestion requirements.
testconnectivity.microsoft.com 13.67.59.89/32
15 Optional: Remote no TCP 80
40.69.150.142/32
Connectivity Analyzer - 40.85.91.8/32 443
Initiate connectivity tests. 104.211.54.99/32
104.211.54.134/32
16 Optional: Remote on-premises systems for email and no customer IP 80, 443
Connectivity Analyzer - collaboration. ranges POP3 o
Execution of the tests selected (110, 99
by the customer. Custom
IMAP4
source of network requests: (143, 99
testconnectivity.microsoft.com
Custom

×
17 on-premises STS no
Optional: Microsoft Support customer IP custom
and Recover Assistant for ranges configu
Office 365 - validate single Typicall
sign-on user credentials. TCP 443
Source:
o365diagnosticsbasic-
eus.cloudapp.net
(104.211.54.99)
o365diagnosticworker-
eus.cloudapp.net
(104.211.54.134)
1
Keep in mind that Machine accounts won’t work with proxies that require outbound authentication.
2
There are specific sub-FQDNs within this domain that are available on ExpressRoute, learn more by reading
the section, Deciding which applications and features route over ExpressRoute.
Note: The domains and nodes that the wildcards such as *.office365.com & *.portal.cloudappsecurity.com
represent are a list of application, functional, and regional domains and nodes used for the Office 365 suite.
Some are dynamically assigned and all of these sub-domains and nodes are subject to change at any time as
the service improves. Other wildcards such as *.office.com, *.office.net, *.onmicrosoft.com, *.microsoft.com, &
*.msocdn.com are used to capture the long list of shared Microsoft-wide services that Office 365 relies on at
times and can be treated as general Internet traffic where a specific FQDN is not defined. The wildcards used
in the advanced eDiscovery service such as equivioprod*.cloudapp.net and zoom-cs-prod*.cloudapp.net
represent a long list of FQDNs such as equivioprod-4.cloudapp.net.
Expand to see the portal and shared IP Addresses
Office 365 portal and shared Office 365 portal and Office 365 portal and shared IPv6
IPv4 endpoints routable shared IPv4 endpoints endpoints routable through the Internet
through the Internet and routable through the only
ExpressRoute Internet only
13.65.240.22/32 13.64.196.27/32 2603:1020:200::682f:a1d8/128

13.66.58.59/32 13.64.198.19/32 2603:1020:201:a::2b1/128
13.70.156.206/32 13.64.198.97/32 2603:1020:201::142/128
13.71.145.114/32 13.64.199.41/32 2603:1020:201::265/128
13.71.145.122/32 13.67.59.89/32 2603:1020:201::3c4/128
13.71.151.88/32 13.76.218.117/32 2603:1020:201::5f2/128
13.75.149.223/32 13.76.219.191/32 2603:1020:300::33/128
13.76.138.63/32 13.76.219.210/32 2603:1020:400::26/128
13.78.120.69/32 13.91.61.249/32 2603:1030:603::3c9/128
13.78.120.70/32 13.91.98.185/32 2603:1030:603::4ed/128
13.78.120.99/32 13.93.216.68/32 2603:1030:603::5e0/128
13.78.120.159/32 13.93.233.42/32 2603:1030:603::6a/128
13.78.122.54/32 23.97.61.137/32 2603:1030:603::72/128
13.80.22.71/32 23.97.150.21/32 2603:1030:a02::118/128
13.80.125.22/32 23.97.152.190/32 2603:1030:a02::367/128
13.84.178.101/32 23.97.209.97/32 2603:1030:a02::5f9/128
13.84.216.209/32 23.99.109.44/32 2603:1040:200::111/128
13.84.218.185/32 23.99.109.64/32 2603:1040:200::325/128
13.84.219.100/32 23.99.116.116/32 2603:1040:200::419/128
13.84.222.249/32 23.99.121.207/32 2603:1040:200::4a9/128
13.87.36.128/32 23.100.86.91/32 2603:1040:400::2f4/128
13.88.17.54/32 23.101.14.229/32 2603:1040:400::5d/128

×
13.93.164.45/32 40.76.1.176/32 2603:1040:401::57/128

13.95.29.177/32 40.76.8.142/32 2603:1040:401::c/128
13.95.30.46/32 40.76.12.4/32 2603:1040:601::1e7/128
13.107.6.156/31 40.76.12.162/32 2603:1040:601::281/128
13.107.7.190/31 40.85.91.8/32 2603:1040:601::2f/128
13.107.9.156/31 40.113.8.255/32 2603:1040:601::36c/128
23.96.32.105/32 40.113.10.78/32 2603:1040:601::4e/128
23.96.241.70/32 40.113.11.93/32 2801:80:1d0:1c00::/64
23.96.251.50/32 40.113.14.159/32 2a01:111:2003::/48
23.96.253.65/32 40.117.144.240/32 2a01:111:200a:a::/64
23.97.66.55/32 40.117.151.29/32 2a01:111:202c::/48
23.97.78.94/32 40.118.211.172/32 2a01:111:202e::/48
23.99.121.16/32 40.121.144.182/32 2a01:111:202e::190/128
23.99.125.4/32 40.122.168.103/32 2a01:111:202e::191/128
23.102.232.134/32 65.52.148.27/32 2a01:111:202e::156/128
40.69.185.117/32 65.52.160.218/32 2a01:111:202d::/48
40.71.88.196/32 65.52.184.75/32 2a01:111:2035:8::/64
40.76.54.117/32 65.52.196.64/32 2a01:111:f100:1002::4134:c0cb/128
40.83.120.174/32 70.37.97.234/32 2a01:111:f100:1002::4134:c440/128
40.83.127.89/32 94.245.108.85/32 2a01:111:f100:1002::4134:d93c/128
40.83.185.155/32 104.41.207.73/32 2a01:111:f100:1002::4134:d9ee/128
40.83.185.230/32 104.42.231.28/32 2a01:111:f100:1004::4134:f0c8/128
40.84.2.83/32 104.43.140.223/32 2a01:111:f100:2002::8975:2c33/128
40.84.4.93/32 104.45.11.195/32 2a01:111:f100:2002::8975:2d11/128
40.84.4.119/32 104.46.38.64/32 2a01:111:f100:2002::8975:2d43/128
40.84.145.72/32 104.46.50.125/32 2a01:111:f100:2002::8975:2d92/128
40.112.144.173/32 104.209.35.177/32 2a01:111:f100:2002::8975:2d98/128
40.112.145.113/32 104.211.54.99/32 2a01:111:f100:2002::8975:2db9/128
40.112.187.89/32 104.211.54.134/32 2a01:111:f100:2002::8975:2cbc/128
40.113.91.234/32 104.215.146.200/32 2a01:111:f100:3002::8987:320c/128
40.117.96.104/32 104.215.198.144/32 2a01:111:f100:3002::8987:342a/128
40.117.100.187/32 111.221.111.196/32 2a01:111:f100:3002::8987:3552/128
40.117.229.133/32 137.116.66.126/32 2a01:111:f100:3002::8987:358e/128
40.117.229.194/32 137.116.81.187/32 2a01:111:f100:4001::4625:609b/128
40.124.8.53/32 157.55.177.39/32 2a01:111:f100:4001::4625:61ea/128
51.140.45.81/32 157.55.184.223/32 2a01:111:f100:4001::4625:a065/128
51.140.226.217/32 157.55.80.94/32 2a01:111:f100:4001::4625:a1e3/128
51.142.213.184/32 168.61.146.25/32 2a01:111:f100:4001::4625:a1e8/128
52.163.58.153/32 168.61.149.17/32 2a01:111:f100:4001::4625:a248/128
52.163.93.38/32 168.61.170.80/32 2a01:111:f100:4001::4625:a3b3/128
52.164.121.65/32 168.61.172.71/32 2a01:111:f100:4001::4625:a4b4/128
52.164.124.124/32 168.62.204.209/32 2a01:111:f100:6000::4134:b0ba/128
52.164.127.6/32 168.62.29.225/32 2a01:111:f100:6000::4134:b84b/128
52.168.128.89/32 168.62.43.8/32 2a01:111:f100:7000::6fdd:682b/128
52.168.177.42/32 168.63.18.79/32 2a01:111:f100:7000::6fdd:699d/128
52.172.49.206/32 168.63.29.74/32 2a01:111:f100:7000::6fdd:6a4e/128
52.174.56.180/32 168.63.100.61/32 2a01:111:f100:7000::6fdd:6b20/128
52.175.154.183/32 168.63.138.56/32 2a01:111:f100:7000::6fdd:6b76/128
52.175.158.8/32 168.63.172.54/32 2a01:111:f100:7000::6fdd:6bc2/128
52.178.27.129/32 168.63.213.238/32 2a01:111:f100:7000::6fdd:6cac/128
52.178.144.25/32 191.237.218.239/32 2a01:111:f100:7000::6fdd:6fc4/128
52.178.146.3/32 207.46.134.255/32 2a01:111:f100:8000::4134:902e/128
52.178.146.67/32 207.46.153.155/32 2a01:111:f100:8000::4134:941b/128
52.178.147.210/32 2a01:111:f100:8001::d5c7:8077/128
52.178.150.186/32 2a01:111:f100:a000::5ef5:581c/128
52.183.75.62/32 2a01:111:f100:a000::5ef5:6c55/128
52.184.165.82/32 2a01:111:f100:7000::6fdd:6095/128
52.185.154.106/32 2a01:111:f100:a001::a83f:5c85/128
52.187.42.197/32 2a01:111:f100:a004::bfeb:8c89/128
52.187.78.144/32 2a01:111:f100:a004::bfeb:8deb/128
52.225.223.43/32 2a01:111:f102:8001::1761:4237/128
52.228.36.141/32 2a01:111:f102:8001::1761:4daf/128
52.230.24.83/32 2a01:111:f102:8001::1761:4f8a/128
52.231.24.115/32 2a01:111:f100:a004::bfeb:8872/128
52.231.204.153/32 2a01:111:f100:a004::bfeb:8a37/128

×
52.233.242.192/32 2a01:111:f406:1000::/64
65.52.144.46/32 2a01:111:f406:1004::/64
65.52.176.186/32 2a01:111:f406:1801::/64
65.52.192.203/32 2a01:111:f406:1805::/64
65.52.220.46/32 2a01:111:f406:3404::/64
65.52.240.200/32 2A01:111:f406:8000::/64
65.55.239.168/32 2a01:111:f406:8801::/64
70.37.96.155/32 2a01:111:f406:a003::/64
94.245.88.28/32 2a01:111:f406:c00::/64
94.245.117.53/32
104.40.178.127/32
104.40.179.160/32
104.40.211.46/32
104.42.225.143/32
104.42.230.91/32
104.43.21.58/32
104.45.225.7/32
104.47.156.62/32
104.211.160.244/32
104.214.107.57/32
104.214.144.62/32
104.214.144.252/32
104.214.145.126/32
104.214.145.173/32
104.214.146.199/32
104.215.28.42/32
111.221.96.149/32
111.221.104.43/32
137.116.156.3/32
137.116.248.150/32
137.117.17.124/32
138.91.61.107/32
157.55.139.177/32
157.55.145.0/25
157.55.155.0/25
157.55.212.37/32
157.55.227.192/26
168.61.149.234/32
168.62.104.83/32
168.62.106.224/32
168.63.92.133/32
191.235.95.142/32
191.238.160.173/32
207.46.73.250/32
207.46.140.244/32
207.46.141.38/32
207.46.156.124/32
207.46.216.54/32
213.199.128.119/32
Expand to see Azure Rights Management (RMS)
The endpoints listed in this section are required if you're using Azure Rights Management. Requests originate
from browsers, clients, and servers and requires the authenticated user to be passed. In addition to the suite-
wide FQDNs, CDNs, and telemetry listed above, you'll need to also add these endpoints. Azure RMS requires
port 443 for all communications, does not rely on CDNs, has no published IP addresses, and is not accessible
over ExpressRoute for Office 365.
Row Purpose Destination

×
2 Required: Azure Rights Management *.aadrm.com
*.azurerms.com
(RMS)
ecn.dev.virtualearth.net
3 Optional: Azure Rights Management 1

*.cloudapp.net
(RMS)
4 Optional: Rights Management *.aadrm.com

connector
Source of network requests: On-

premises server
1
Azure Rights Management Office 2010 Clients Only.
Note: The domains and nodes that the wildcards such as *.aadrm.com & *.azurerms.com
represent are a list of application, functional, and regional domains and nodes used for rights
management functionality. Some are dynamically assigned and all of these sub-domains and
nodes are subject to change at any time as the service improves.
Expand to see the Certificate Revocation List FQDNs
See our article on the Office 365 certificate chains for a more detailed view of the certificate chains including
downloadable p7b.
Office 365 Certificate Revocation List (Root URLs)
*.entrust.net
*.geotrust.com
*.omniroot.com
*.public-trust.com
*.symcb.com
*.symcd.com
*.verisign.com
*.verisign.net
aia.entrust.net
apps.identrust.com
cacert.a.omniroot.com
cacert.omniroot.com
cacerts.digicert.com
cdp1.public-trust.com
cert.int-x3.letsencrypt.org
crl.entrust.net
crl.globalsign.com
crl.globalsign.net
crl.identrust.com
crl.microsoft.com
crl3.digicert.com
crl4.digicert.com
EVIntl-aia.verisign.com
EVIntl-crl.verisign.com
EVIntl-ocsp.verisign.com
evsecure-aia.verisign.com
EVSecure-crl.verisign.com
EVSecure-ocsp.verisign.com
isrg.trustid.ocsp.identrust.com
mscrl.microsoft.com
ocsp.digicert.com
ocsp.entrust.net
ocsp.globalsign.com
ocsp.int-x3.letsencrypt.org
ocsp.msocsp.com
×
ocsp.omniroot.com
Office 365 Certificate Revocation List (Root URLs)
ocsp2.globalsign.com
ocspx.digicert.com
s1.symcb.com
s2.symcb.com
sa.symcb.com
sd.symcb.com
secure.globalsign.com
sr.symcb.com
sr.symcd.com
su.symcb.com
su.symcd.com
vassg142.crl.omniroot.com
vassg142.ocsp.omniroot.com
www.digicert.com
www.microsoft.com
Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange
Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics
CRM IP | Dynamics CRM URI | Power BI
Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients |
Microsoft Intune | Microsoft PowerApps | Microsoft Flow
<Back to top>
Office 365 authentication and identity

365 authentication and identity sections to function. To use any Office 365 services, you must be able to
connect to the endpoints marked required in the table below. If your organization uses Azure AD Connect
AAD Connect, AD FS, or Multi-factor authentication, you'll find the associated endpoints below. All IP
addresses entered directly in the Destination IP column are also listed in the IP tables and XML file for your
convenience.
Authentication and identity FQDNs

If you’re using Active Directory Federation Services (AD FS) with your deployment, you can also use AD FS
client access policies with Windows Server 2012 R2 or client access policies with AD FS 2.0 to further restrict
and control access to Office 365. Destinations with a yes in the ExpressRoute for Office 365 BGP
Communities column are advertised over ExpressRoute and the Internet.
The FQDN secure.aadcdn.microsoftonline-p.com needs to be in your client's IE Trusted Sites Zone to function.
Row Purpose Source | Destination ExpressRoute CIDR Address Port

Credentials for Office
365 BGP
Communities
1 Required: Certificate see the well known certificate root

revocation lists CRLs.

×
identity including Graph logged on clientconfig.microsoftonline-p.net Authentication
companymanager.microsoftonline.com
(Graph.Microsoft.com) user device.login.microsoftonline.com and Identity IP
graph.microsoft.com ranges
hip.microsoftonline-p.net
hipservice.microsoftonline.com
login.microsoft.com
login.microsoftonline.com
logincert.microsoftonline.com
loginex.microsoftonline.com
login-us.microsoftonline.com
login.microsoftonline-p.com
login.windows.net
nexus.microsoftonline-p.com
passwordreset.microsoftonline.com
provisioningapi.microsoftonline.com
stamp2.login.microsoftonline.com
ccs.login.microsoftonline.com
3 Required: client or yes Exchange TCP 80 &
ccs-sdf.login.microsoftonline.com
authentication and server / Online IP 443
identity logged on ranges
user
accounts.accesscontrol.windows.net
4 Required: client or no N/A TCP 443
secure.aadcdn.microsoftonline-p.com
authentication and server /
identity logged on
user
*.msecnd.net
5 Optional: client or no N/A TCP 443
*.microsoftonline.com
Legacy/temporary server / *.microsoftonline-p.com
FQDNs (including CDNs) logged on *.microsoftonline-p.net
*.windows.net
user
account.activedirectory.windowsazure.com
6 Optional: Multi-factor client or no N/A TCP 443
secure.aadcdn.microsoftonline-p.com
authentication (MFA) server /
logged on
user
adminwebservice.microsoftonline.com
7 Optional: Azure AD Azure AD yes Authentication TCP 443
login.windows.net
Connect and DirSync Connect provisioningapi.microsoftonline.com and Identity IP
server | ranges
Service
Account
*.microsoftonline.com
8 Optional: Azure AD Azure AD no N/A TCP 80 &
mscrl.microsoft.com
Connect and DirSync Connect secure.aadcdn.microsoftonline-p.com 443
server |
Service
Account
9 Optional: Azure AD client or customer STS environment (AD FS no customer TCP 80 &
Connect (w/SSO option) server / Server and AD FS Proxy) | Ports TCP 80 environment 443
– WinRM & remote logged on & 443
powershell user

×
10 no
Optional: STS such as client or customer STS (such as AD FS Proxy) | customer TCP 443 o
AD FS Proxy server(s) server / Ports TCP 443 or TCP 49443 environment TCP 49443
(for federated customers N/A w/ClientTLS w/ClientTL
only)
11 Optional: AD FS Proxy customer customer AD FS server (FS) | Port TCP no customer TCP 443
server(s) (for federated AD FS 443 environment
customers only) Proxy
(WAP) |
N/A
*.adhybridhealth.azure.com
12 Optional: Azure AD Azure AD no N/A TCP 443
Connect Health Connect *.table.core.windows.net
(including CDNs) Health *.queue.core.windows.net
*.servicebus.windows.net
server |
*.servicebus.windows.net Service management.azure.com
policykeyservice.dc.ad.msft.net
uses TCP 5671 (If 5671 is Account secure.aadcdn.microsoftonline-p.com
blocked, agent falls back
to 443, but using 5671 is
recommended.)
login.microsoftonline.com
13 Optional: Azure AD Azure AD yes Authentication TCP 443
login.windows.net
Connect Health Connect and Identity IP
Health ranges
server |
Service
Account
Note: The sub-FQDN login.windows.net is advertised via Expressroute and included in the office 365 BGP
communities. Also keep in mind that Machine accounts won’t work with proxies that require outbound
authentication.
Expand to see the authentication and identity IP Addresses
Office 365 authentication and identity IPv4 Office 365 authentication and identity IPv6 endpoints
endpoints routable through the Internet and routable through the Internet only
ExpressRoute
13.67.50.224/29 2603:1020:201::4a0/128
13.71.201.64/26 2603:1020:201::4a1/128
13.106.4.128/25 2603:1020:201::4a2/128
13.75.48.16/29 2603:1020:201::4a3/128
13.75.80.16/29 2603:1020:201::4a4/128
13.106.56.0/25 2603:1020:201::4a5/128
20.190.128.0/18 2603:1020:201::4a6/128
23.100.16.168/29 2603:1020:201::4a7/128
23.100.32.136/29 2603:1020:201::4aa/128
23.100.64.24/29 2603:1020:201::581/128
23.100.72.32/29 2603:1020:201::583/128
23.100.80.64/29 2603:1020:201::584/128
23.100.88.32/29 2603:1020:201::586/128
23.100.101.112/28 2603:1020:201::588/128
23.100.104.16/28 2603:1020:201::589/128
23.100.112.64/29 2603:1020:201::58a/128

×
ExpressRoute
23.101.144.136/29 2603:1020:201:2::/64
23.101.165.168/29 2603:1020:201:3::/64
23.101.181.128/29 2603:1030:7::2c/128
23.101.210.24/29 2603:1030:7::2d/128
23.101.222.240/28 2603:1030:7::2f/128
23.101.224.16/29 2603:1030:7::30/128
23.101.226.16/28 2603:1030:7::34/128
40.112.64.16/28 2603:1030:7::3f/128
40.113.192.16/29 2603:1030:7::40/128
40.114.120.16/29 2603:1030:7::41/128
40.115.152.16/28 2a01:111:2005:6::/64
40.127.67.24/29 2a01:111:f100:1002::4134:d89f/128
40.126.0.0/18 2a01:111:f100:1002::4134:d944/128
52.172.144.16/28 2a01:111:f100:1002::4134:d95f/128
65.52.1.16/29 2a01:111:f100:1002::4134:da55/128
65.52.193.136/29 2a01:111:f100:1002::4134:da5c/128
65.54.170.128/25 2a01:111:f100:1002::4134:da81/128
104.40.240.48/28 2a01:111:f100:1002::4134:dab5/128
104.41.13.120/29 2a01:111:f100:1002::4134:daee/128
104.41.216.16/28 2a01:111:f100:1002::4134:db2a/128
104.42.72.16/29 2a01:111:f100:1002::4134:db60/128
104.43.208.16/29 2a01:111:f100:1002::4134:db89/128
104.43.240.16/29 2a01:111:f100:1002::4134:dbe7/128
104.44.218.128/25 2a01:111:f100:1002::4134:dc2d/128
104.44.254.128/25 2a01:111:f100:1002::4134:dc2e/128
104.44.255.0/25 2a01:111:f100:1002::4134:dc43/128
104.45.0.16/28 2a01:111:f100:1002::4134:dc6e/128
104.45.208.104/29 2a01:111:f100:1002::4134:dd7a/128
104.46.112.8/29 2a01:111:f100:1002::4134:ddcb/128
104.46.224.64/28 2a01:111:f100:2002::8975:2c3b/128
104.209.144.16/29 2a01:111:f100:2002::8975:2c3f/128
104.210.48.8/29 2a01:111:f100:2002::8975:2c6d/128
104.210.83.160/29 2a01:111:f100:2002::8975:2cdd/128
104.210.208.16/29 2a01:111:f100:2002::8975:2cea/128
104.211.16.16/29 2a01:111:f100:2002::8975:2ced/128
104.211.48.16/29 2a01:111:f100:2002::8975:2d08/128
104.211.88.16/28 2a01:111:f100:2002::8975:2d19/128
104.211.216.32/27 2a01:111:f100:2002::8975:2d25/128
104.215.96.24/29 2a01:111:f100:2002::8975:2d4d/128
104.215.144.64/29 2a01:111:f100:2002::8975:2d6a/128
104.215.184.16/29 2a01:111:f100:2002::8975:2d97/128
132.245.165.0/25 2a01:111:f100:2002::8975:2daa/128
134.170.67.0/25 2a01:111:f100:2002::8975:2dc7/128
134.170.172.128/25 2a01:111:f100:3002::8987:30a0/128
157.55.45.128/25 2a01:111:f100:3002::8987:3103/128
157.55.59.128/25 2a01:111:f100:3002::8987:3278/128
157.55.130.0/25 2a01:111:f100:3002::8987:328f/128
157.55.145.0/25 2a01:111:f100:3002::8987:3299/128
157.55.155.0/25 2a01:111:f100:3002::8987:3344/128
157.55.227.192/26 2a01:111:f100:3002::8987:3396/128
157.56.53.128/25 2a01:111:f100:3002::8987:3398/128
157.56.55.0/25 2a01:111:f100:3002::8987:33b3/128
157.56.58.0/25 2a01:111:f100:3002::8987:33ec/128
157.56.151.0/25 2a01:111:f100:3002::8987:34eb/128
191.232.2.128/25 2a01:111:f100:3002::8987:34f8/128
191.237.248.32/29 2a01:111:f100:3002::8987:353b/128
191.237.252.192/28 2a01:111:f100:3002::8987:35b5/128
2a01:111:f100:4001::4625:a3ee/128
2a01:111:f100:4001::4625:a4b6/128
2a01:111:f100:4001::4625:a4ba/128
2a01:111:f100:4001::4625:a4c7/128
2a01:111:f100:4001::4625:a4cf/128
2a01:111:f100:4001::4625:a4ee/128
2a01:111:f100:4001::4625:a56f/128
2a01:111:f100:4001::4625:a589/128
2a01:111:f100:7000::6fdd:6a44/128
2a01:111:f100:7000::6fdd:6b96/128

×
ExpressRoute
2a01:111:f100:7000::6fdd:6d1c/128
2a01:111:f100:7000::6fdd:6d23/128
2a01:111:f100:7000::6fdd:6d50/128
2a01:111:f100:7000::6fdd:6d88/128
2a01:111:f100:a004::bfeb:8a92/128
2a01:111:f100:a004::bfeb:8ab0/128
2a01:111:f100:a004::bfeb:8b12/128
2a01:111:f100:a004::bfeb:8b15/128
2a01:111:f100:a004::bfeb:8b3c/128
2a01:111:f100:a004::bfeb:8b47/128
2a01:111:f100:a004::bfeb:8b6c/128
2a01:111:f100:a004::bfeb:8beb/128
2a01:111:f100:a004::bfeb:8c55/128
2a01:111:f100:a004::bfeb:8c6d/128
2a01:111:f100:a004::bfeb:8c6f/128
2a01:111:f100:a004::bfeb:8c88/128
2a01:111:f100:a004::bfeb:8cc0/128
2a01:111:f100:a004::bfeb:8cdc/128
2a01:111:f100:a004::bfeb:8d83/128
2a01:111:f100:a004::bfeb:8d96/128
2a01:111:f100:a004::bfeb:8daa/128
2a01:111:f102:8001::1761:4929/128
2a01:111:f102:8001::1761:4948/128
2a01:111:f102:8001::1761:4b83/128
2a01:111:f102:8001::1761:4f0d/128
2a01:111:f102:8001::1761:4f32/128
2a01:111:f102:8001::1761:4f64/128
2a01:111:f102:8001::1761:4f8d/128
2a01:111:f102:8001::1761:4fc0/128
2a01:111:f400::/48
2001:df0:d9:200::/64
2603:1047:100::/64
2a01:111:2035:8::/64
2a01:111:200a:a::/64
2a01:111:f406:1::/64
2a01:111:f406:2::/64
2a01:111:f406:1004::/64
2a01:111:f406:1805::/64
2a01:111:f406:3404::/64
2A01:111:F406:8000::/64
2a01:111:f406:8801::/64
2a01:111:f406:a003::/64
2A01:111:F406:C00::/64
<Back to top>
Office Online
Office Online FQDNs

×
the endpoints marked required in the table below. Destinations with a yes in the ExpressRoute for Office
365 BGP Communities column are advertised over ExpressRoute and the Internet.
Office Online is only available in the browser and requires the authenticated user to be passed through any
proxies. Office Online only requires TCP Port 443. In addition to the suite-wide FQDNs, CDNs, and telemetry
listed above, you'll need to also add these endpoints.
Row Purpose Destination ExpressRoute for CIDR

Office 365 BGP Address
Communities
1 Required: suite- see Office 365 required entries for

wide services shared services and authentication
*broadcast.officeapps.live.com
2 Required: Office yes Office
*excel.officeapps.live.com
Online *onenote.officeapps.live.com Online IP
*powerpoint.officeapps.live.com Ranges.
*view.officeapps.live.com
*visio.officeapps.live.com
*word-edit.officeapps.live.com
*word-view.officeapps.live.com
office.live.com
*.cdn.office.net
3 Required: Content no N/A
contentstorage.osi.office.net
Delivery Network for
Office Web Apps
Note: The domains and nodes that the wildcards such as *visio.officeapps.live.com represent are a list of 20+
regional nodes. Similarly, the wildcard in the *.cdn.office.net entry represents a collection of application,
functional, and regional domains and nodes used only by Office Online. All of these sub-domains and nodes
are subject to change at any time as the service improves.
Expand to see the Office Online IP Addresses
Office Web Apps IPv4 endpoints routable Office Web Apps IPv6 endpoints routable through
through the Internet and ExpressRoute the Internet only
13.69.187.20/32 2603:1020:201::37/128
13.70.184.242/32 2603:1020:201:9::c6/128
13.71.155.176/32 2603:1030:1000::1d/128
13.75.153.216/32 2603:1030:f00::17/128
13.76.140.48/32 2603:1040:200::5dc/128
13.78.114.39/32 2603:1040:401::762/128
13.85.84.102/32 2603:1040:601::60f/128
13.88.248.161/32 2603:1040:a01::1e/128
13.88.254.212/32 2603:1040:c01::28/128
13.107.6.171/32 2603:1050:1::cd/128
13.107.6.172/32 2620:1ec:a92::171/128
23.98.219.76/32 2a01:111:f100:2002::8975:2d79/128
40.68.166.51/32 2a01:111:f100:2002::8975:2da8/128
40.71.251.78/32 2a01:111:f100:4001::4625:a1c3/128
40.74.130.243/32 2a01:111:f100:4001::4625:a419/128
40.74.138.42/32 2a01:111:f100:7000::6fdd:6cd5/128
40.86.230.88/32 2a01:111:f100:a004::bfeb:8ba7/128
40.87.61.217/32
40.114.192.209/32
40.117.226.146/32
×
40.126.236.216/32
Office Web Apps IPv4 endpoints routable Office Web Apps IPv6 endpoints routable through
through the Internet and ExpressRoute the Internet only
40.127.79.139/32
51.140.46.128/32
51.140.46.150/32
51.141.1.194/32
51.141.8.160/32
52.108.0.0/14
52.164.242.47/32
52.169.109.48/32
52.172.12.123/32
52.172.13.171/32
52.172.152.100/32
52.172.153.104/32
52.174.190.59/32
52.175.25.142/32
52.232.128.169/32
104.40.225.204/32
104.41.62.54/32
104.214.38.136/32
104.215.194.17/32
137.116.172.39/32
137.135.65.72/32
191.235.84.172/32
191.235.87.181/32
191.237.40.220/32
<Back to top>
Exchange Online
Exchange Online FQDNs

365 authentication and identity sections to function. To use Exchange Online, including mail retrieval, OWA,
Unified Messaging, and so on, you must be able to connect to the endpoints marked required below. If your
organization uses Exchange Hybrid or is migrating email to Office 365, you'll find the associated endpoints
below.
Destinations with a yes in the ExpressRoute for Office 365 BGP Communities column are advertised over
ExpressRoute and the Internet with the exception of *.outlook.com, there are specific sub-FQDNs within this
domain, such as the CNAME xsi.outlook.com which refers to a CDN that have no published IPs and are not
available over ExpressRoute, there are other sub-domains that are available on ExpressRoute, learn more by
reading the section, Deciding which applications and features route over ExpressRoute.

365 BGP

×
1 Required: see Office 365 required entries for
suite-wide shared services and authentication
services
2 Required: EOP see Exchange Online Protection (EOP)

services
smtp.office365.com
3 Required: client yes Exchange Online TCP 587
client SMTP computer | IP ranges.
Relay logged on
user
*.outlook.com
4 Required: client or yes Exchange Online TCP 80 & 443
*.outlook.office.com
Exchange on- outlook.office365.com IP ranges.
Online premises autodiscover-<tenant>.outlook.com
(including Exchange
OWA, Outlook, server |
EWS, MRS logged on
migrations, and user or
so on). machine
account
xsi.outlook.com
5 Required: client or no N/A TCP 80 & 443
Exchange server | r3.res.office365.com
Online CDNs logged on r4.res.office365.com
(including user
OWA, Outlook,
and so on).
*.um.outlook.com 65.55.94.0/25
6 Optional: on- no Any-TCP/UDP
207.46.198.0/25
Exchange premises 213.199.177.0/26
Online Unified Session (Bidirectional
Messaging/SBC Border 157.55.9.128/25 for inbound,

111.221.66.0/25 calls , MWI)
integration. Controller 207.46.58.128/25
Note: These IP
addresses are
provided for
informational
purposes and are
not included in the
XML.
7 Optional: Exchange customer on-premises Exchange yes Customer IP TCP 443

Exchange Online IP
Hybrid co- ranges |
existence N/A
functions such
as Free/Busy
sharing.

×
Hybrid proxy ranges | cert based
authentication N/A authentication)
*.store.core.windows.net
9 Optional: used existing no N/A TCP 80 & 443
asl.configure.office.com
to configure Exchange mshrcstorageprod.blob.core.windows.net
Exchange service | tds.configure.office.com
Hybrid, using N/A
the Exchange
Hybrid
Configuration
Wizard.
Note: These
endpoints are
only required to
configure
Exchange hybrid.
Rows 8-10
describe the
ongoing traffic.
1 40.118.209.192/32
10 Optional: used existing domains.live.com yes TCP 80 & 443
168.62.190.41/32
to configure Exchange
Exchange service | Note: These IP
Hybrid, using N/A addresses are
the Exchange provided for
informational
Hybrid
purposes and are
Configuration
not included in the
Wizard. XML.
Note: These
endpoints are
only required to
configure
Exchange hybrid.
Rows 8-10
describe the
ongoing traffic.
11 Optional: IMAP4 yes Exchange Online TCP 143/993
Exchange Service | IP ranges.
Online IMAP4 N/A
migration
12 Optional: POP3 yes Exchange Online TCP 995
Exchange Service | IP ranges.
Online POP3 N/A
migration
1
Only required for Exchange 2010 SP3 Hybrid Configuration Wizard.
Note: The domains and nodes that the wildcards such as *.outlook.office.com & *.um.outlook.com represent
are a list of application, functional, and regional domains and nodes used for Exchange Online functionality.

×
domains and nodes for Exchange Online functionality, 3rd party CDNs for Exchange Online such as
xsi.outlook.com, and sub-domains that other parts of o365 use.
Expand to see the Exchange Online IP Addresses
Exchange Online Protection FQDNs

To use Exchange Online Protection as a stand alone service or as the SMTP engine with Exchange Online, you
must be able to connect to the endpoints marked required below. Note the EOP SMTP IP addresses are
linked to in row 2, 3, & 4 instead of being listed directly on this page. In addition to the suite-wide FQDNs,
CDNs, and telemetry listed above, you'll need to also add these endpoints. All Exchange Online Protection
endpoints are available over ExpressRoute and do not rely on a CDN.
Row Purpose Source | Destination CIDR Address Port

Credentials
1 Required: see Office 365 required entries for

suite-wide shared services and authentication
services.
2 Required: client or server / *.protection.outlook.com see Exchange TCP

EOP logged on user Online 443
Protection IP
Addresses
3 Required: existing email <customer domain- see Exchange TCP

send SMTP environment | key>.mail.protection.outlook.com Online 25
email N/A Protection IP
Addresses
4 Required: see Exchange customer email environment customer email TCP

receive Online Protection environment 25
SMTP email IP Addresses |
N/A
Note: The domains and nodes that the wildcards such as *.protection.outlook.com represent are a list of
application, functional, and regional domains and nodes used for mail delivery, security, and compliance
functionality. Some are dynamically assigned and all of these sub-domains and nodes are subject to change at
any time as the service improves.
<Back to top>

×
Skype for Business Online
Skype for Business Online FQDNs

To use Skype for Business online, ensure both the FQDN and IP Address endpoints listed in the Skype for
Business Online tables below are reachable. These tables are updated regularly as Microsoft works to build
out its network to increase reliability and performance. Please be sure to subscribe to changes in this
documentation to insure changes are incorporated in your networking configuration.
The IP Address endpoints listed in the Skype for Business online IP Addresses includes IP’s required for both
Skype for Business online and Teams. If your company also wants to use Microsoft Teams, there is no extra
work required as long as you whitelist all the IPs in this section. The FQDN endpoints listed in the Skype for
Business online FQDNs only covers those FQDNs that are required for Skype for Business online. If your
company wants to use Microsoft Teams, you need to add the FQDNs for Microsoft Teams listed in the
Microsoft Teams section. Destinations with a yes in the ExpressRoute for Office 365 BGP Communities
column are advertised over ExpressRoute and the Internet.
To use Skype for Business Online, you must first enable endpoints for authentication as well as the Office 365
portal and shared service. You must also ensure the endpoints in the Skype for Business Online FQDN and IP
Address tables are reachable. To see the IP addresses, expand the IP address section below the table
describing the traffic flow. Keep in mind that wildcards represent all possible sub-domains under the root.

365 BGP
Communities
1 Required: see Office 365 required entries

suite-wide for shared services,
services. authentication, and Office Online
*.lync.com
2 Required: client yes Skype for Business IP TCP 443
*.cqd.lync.com
Skype for computer | *.infra.lync.com ranges.
Business. logged on *.online.lync.com
*.resources.lync.com
Including SIP user
*.config.skype.com
signaling, *.skypeforbusiness.com
Persistent *.pipe.aria.microsoft.com
Shared config.edge.skype.com
pipe.skype.com
Object s-0001.s-msedge.net
Model s-0004.s-msedge.net
(PSOM)
connections
web
conferencing,
HTTPS
downloads,
and Call
Quality
Dashboard
*.lync.com
3 Required: client yes Skype for Business IP TCP 443,

×
& Desktop logged on 3479,
sharing user 3480, &
3481
Optional:
TCP &
UDP
50,000-
59,999
*.lync.com
4 Required: client yes Skype for Business IP TCP 5223
Lync Mobile computer | ranges.
push logged on
notifications user
for Lync
Mobile 2010
on iOS
devices. You
don't need
this for
Android,
Nokia
Symbian or
Windows
Phone
mobile
devices.
*.azureedge.net
5 Required: client no N/A TCP 80 &
*.sfbassets.com
Skype for computer | *.urlp.sfbassets.com 443
Business logged on skypemaprdsitus.trafficmanager.net
CDNs user
quicktips.skypeforbusiness.com
6 Required: client no N/A. TCP 443
swx.cdn.skype.com
Skype client computer |
quicktips & logged on
OWA user
integration
*.api.skype.com
7 Optional: client no SkypeGraph.skype.com TCP 443
*.users.storage.live.com
Federation computer | skypegraph.skype.com IP range information
with Skype logged on
and public user
IM
connectivity:
Contact
picture
retrieval
To use Skype Meeting Broadcast, the following endpoints need to be accessible to client computers.

×
365 BGP
Communities
1 Required: see Skype for Business Online and ensure all entries
Skype for labeled "required" are accessible.
Business
endpoints.
*.broadcast.skype.com
2 Required: client yes Skype TCP
broadcast.skype.com
Skype computer / browser.pipe.aria.microsoft.com for 443
Meeting logged on Business
Broadcast user IP
presenter ranges.
and
attendee
aka.ms
3 Required: client no N/A TCP
amp.azure.net
Skype computer / 443
Meeting logged on
Broadcast user
presenter
and
attendee
*.keydelivery.mediaservices.windows.net
4 Required: client no N/A TCP
*.msecnd.net
Skype computer / *.streaming.mediaservices.windows.net 443
Meeting logged on ajax.aspnetcdn.com
mlccdn.blob.core.windows.net
Broadcast user
presenter
and
attendee
(including
CDNs)
Notes:
The domains and nodes that the wildcards such as *.lync.com, *.config.skype.com, *.broadcast.skype.com,
*.skypeforbusiness.com, *.sfbassets.com, & *.urlp.sfbassets.com represent are a list of application,
functional, and regional domains and nodes used for Skype for Business Online functionality. Some are
dynamically assigned and all of these sub-domains and nodes are subject to change at any time as the
service improves.
The wildcards for mediaservices.windows.net represents a list of media services endpoints associated with
Azure Media Services where video content is pulled from. These endpoints are available via the internet
and Azure Public peering. The wildcard for msecnd.net represents a dynamically generated endpoint within
the CDN that join page libraries are pulled from.
Expand to see the Skype for Business Online IP Addresses
Skype for Business Online IPv4 endpoints routable Skype for Business Online IPv6 endpoints
through the Internet and ExpressRoute routable through the Internet only

×
13.64.106.229/32 2603:1027::/48
13.67.180.128/32 2603:1029:100::/48
13.70.89.162/32 2603:1037::/48
13.70.156.147/32 2603:1039:100::/48
13.70.159.107/32 2603:1047::/48
13.71.127.197/32 2603:1049:100::/48
13.73.109.13/32 2603:1057::/48
13.73.155.42/32 2620:1ec:6::/48
13.75.154.195/32 2620:01ec:0042::/48
13.75.159.17/32 2620:1ec:40::/42
13.75.159.51/32 2a01:111:2047:2::/64
13.76.188.52/32 2a01:111:2047:1::/64
13.76.189.79/32 2a01:111:2048:2::/64
13.76.241.210/32 2a01:111:2048:1::/64
13.77.7.84/32 2a01:111:f406:3406::/64
13.78.93.8/32 2a01:111:f406:3405::/64
13.78.94.7/32 2a01:111:200f:11::/64
13.78.95.252/32 2a01:111:200f:10::/64
13.78.112.190/32 2a01:111:2007:3::/64
13.79.153.60/32 2a01:111:2007:4::/64
13.91.106.134/32 2a01:111:200f:6::/64
13.91.252.242/32 2a01:111:200f:7::/64
13.93.167.93/32 2a01:111:200f:8::/64
13.95.234.10/32 2a01:111:200f:9::/64
13.107.3.0/24 2a01:111:2012:2::/64
13.107.8.0/24 2a01:111:2012:3::/64
13.107.17.0/24 2a01:111:2012:4::/64
13.107.64.0/18 2a01:111:2012:5::/64
13.107.242.0/24 2a01:111:2012:6::/64
23.97.78.16/32 2a01:111:2012:7::/64
23.99.101.118/32 2a01:111:202a:2::/64
23.99.112.73/32 2a01:111:202a:3::/64
23.99.113.163/32 2a01:111:202b:3::/64
23.99.121.38/32 2a01:111:202b:4::/64
23.101.61.176/32 2a01:111:202b:9::/64
23.101.112.170/32 2a01:111:202b:a::/64
23.101.151.89/32 2a01:111:202f::/48
23.103.176.128/26 2a01:111:2034:2::/64
23.103.176.192/27 2a01:111:2034:3::/64
23.103.178.128/26 2a01:111:2035:6::/64
23.103.178.192/27 2a01:111:2035:7::/64
40.69.45.108/32 2a01:111:2036:2::/64
40.74.62.125/32 2a01:111:2036:3::/64
40.74.113.62/32 2a01:111:203e:1::/64
40.74.129.215/32 2a01:111:203e:2::/64
40.74.130.253/32 2a01:111:2040:1::/64
40.74.143.94/32 2a01:111:2040:2::/64
40.76.77.68/32 2a01:111:2046:4::/64
40.78.98.202/32 2a01:111:2046:5::/64
40.78.146.128/32 2a01:111:2a:7::/64
40.83.17.24/32 2a01:111:2a:8::/64
40.83.124.144/32 2a01:111:f402:5802::/64
40.84.28.125/32 2a01:111:f402:5803::/64
40.113.87.220/32 2a01:111:f402:5805::/64
40.114.149.220/32 2a01:111:f404:0c06::/64
40.115.1.44/32 2a01:111:f404:0c07::/64
40.117.100.83/32 2a01:111:f404:0c09::/64
40.117.145.132/32 2a01:111:f404:0c0a::/64
40.118.214.164/32 2a01:111:f404:3400::/64
40.118.253.51/32 2a01:111:f404:3401::/64
40.121.200.212/32 2a01:111:f404:8002::/64
40.122.44.96/32 2a01:111:f404:8003::/64
40.122.165.60/32 2a01:111:f404:9400::/64
40.123.43.195/32 2a01:111:f404:9401::/64
40.127.129.109/32 2a01:111:f404:a000::/64
40.127.169.165/32 2a01:111:f404:a001::/64
51.140.51.73/32 2a01:111:f404:a800::/64
51.140.62.120/32 2a01:111:f404:a801::/64

×
51.141.13.77/32 2a01:111:f406:2400::/64
51.141.28.50/32 2a01:111:f406:2401::/64
51.141.42.151/32 2a01:111:f406:402::/64
51.141.49.0/32 2a01:111:f406:403::/64
52.112.0.0/14
52.163.225.1/32
52.163.230.187/32
52.163.231.50/32
52.165.150.215/32
52.166.61.83/32
52.169.9.241/32
52.169.154.144/32
52.172.220.246/32
52.173.190.229/32
52.174.186.47/32
52.175.37.105/32
52.178.114.127/32
52.178.179.194/32
52.178.186.230/32
52.178.198.107/32
52.179.139.166/32
52.183.117.84/32
52.187.6.119/32
52.187.79.90/32
52.233.128.227/32
65.55.127.0/24
66.119.157.192/26
66.119.158.0/25
104.40.91.215/32
104.41.208.54/32
104.44.195.0/24
104.44.200.0/23
104.45.18.178/32
104.45.231.95/32
104.46.62.41/32
104.47.151.128/32
104.208.28.54/32
104.208.31.113/32
104.209.188.207/32
104.210.9.95/32
104.211.188.146/32
111.221.76.128/25
111.221.77.0/26
131.253.128.0/19
131.253.160.0/20
137.116.66.252/32
137.116.248.105/32
137.117.109.221/32
137.117.128.25/32
168.61.145.101/32
168.61.155.249/32
168.63.204.74/32
168.63.245.120/32
207.46.5.0/24
<Back to top>

×
Microsoft Teams
Microsoft Teams FQDNs

To use Microsoft Teams, ensure both the FQDN and IP Address endpoints listed in the Microsoft Teams tables
below are reachable. These tables are updated regularly as Microsoft works to build out its network to
increase reliability and performance. Please be sure to subscribe to changes in this documentation to insure
changes are incorporated in your networking configuration. Destinations with a yes in the ExpressRoute for
Office 365 BGP Communities column are advertised over ExpressRoute and the Internet.
Wildcards represent regional installations of these services.
Row Purpose Source Destination ExpressRoute CIDR Address Port

|Credentials for Office
365 BGP
Communities
1 Required: see Office 365 required entries

suite-wide for shared services,
services. authentication, and Office Online
*.teams.skype.com
2 Required: Client or Yes Microsoft Teams IP TCP
*.teams.microsoft.com
Microsoft Server / teams.microsoft.com ranges. 80 &
Teams. logged on 443
user
*.asm.skype.com
*.cc.skype.com
Microsoft Server / *.conv.skype.com ranges. 443
Teams logged on *.dc.trouter.io
*.msg.skype.com
collaboration user
prod.registrar.skype.com
prod.tpc.skype.com
13.107.3.0/24
4 Required: Client or These IPs are used by media Yes TCP
13.107.8.0/24
Microsoft Server / without explicit FQDN mappings. 13.107.17.0/24 443
Teams logged on 13.107.64.0/24
13.107.65.0/24 UDP
media user
13.107.242.0/24 3478-
52.114.60.0/22
52.114.124.0/22
3481
52.114.188.0/22
52.114.220.0/22
104.44.195.0/24
104.44.200.0/24
104.44.201.0/24
*.config.skype.com
*.pipe.skype.com
Microsoft Server / *.pipe.aria.microsoft.com ranges. 443
Teams logged on config.edge.skype.com
pipe.skype.com
shared user
s-0001.s-msedge.net
services s-0004.s-msedge.net
scsinstrument-ss-
us.trafficmanager.net

×
scsquery-ss-
asia.trafficmanager.net
*.msedge.net
6 Required: Client or No N/A TCP
compass-ssl.microsoft.com
Microsoft Server / feedback.skype.com 443
Teams logged on
shared user
services
*.secure.skypeassets.com
7 Required: Client or No N/A TCP
mlccdnprod.azureedge.net
Microsoft Server / videoplayercdn.osi.office.net 443
Teams logged on
shared user
services
*.lync.com
8 Optional: Client or Yes Skype for Business IP TCP
*.infra.lync.com
Messaging Server / *.online.lync.com ranges. 443
interop with logged on *.resources.lync.com
*.skypeforbusiness.com
Skype for user
Business
*.azureedge.net
9 Optional: Client or No N/A TCP
*.sfbassets.com
Messaging Server / latest-swx.cdn.skype.com 443
interop with logged on skypemaprdsitus.trafficmanager.net
swx.cdn.skype.com
Skype for user
Business
(including
CDNs)
skypegraph.skype.com
10 Optional: Client or No SkypeGraph.skype.com TCP
Skype Graph Server / IP range information 443
logged on
user
*.giphy.com
11 Optional: Client or No N/A TCP
Microsoft Server / 443
Teams third- logged on
party user
integrations
Note: The domains and nodes that the wildcards such as *.teams.skype.com, *.teams.microsoft.com,
*.config.skype.com, *.secure.skypeassets.com, & *.pipe.skype.com represent are a list of application, functional,
and regional domains and nodes used for Microsoft Teams functionality. Some are dynamically assigned and
all of these sub-domains and nodes are subject to change at any time as the service improves.
Expand to see the Microsoft Teams IP Addresses
Microsoft Teams IPv4 endpoints routable through Microsoft Teams IPv6 endpoints routable

×
the Internet and ExpressRoute through the Internet only
13.64.106.229/32 2603:1027::/48
13.67.180.128/32 2603:1029:100::/48
13.70.89.162/32 2603:1037::/48
13.70.156.147/32 2603:1039:100::/48
13.70.159.107/32 2603:1047::/48
13.71.127.197/32 2603:1049:100::/48
13.73.109.13/32 2603:1057::/48
13.73.155.42/32 2620:1ec:6::/48
13.75.154.195/32 2620:1ec:40::/42
13.75.159.17/32 2a01:111:202f::/48
13.75.159.51/32
13.76.188.52/32
13.76.189.79/32
13.76.241.210/32
13.77.7.84/32
13.78.93.8/32
13.78.94.7/32
13.78.95.252/32
13.78.112.190/32
13.79.153.60/32
13.91.106.134/32
13.91.252.242/32
13.95.234.10/32
13.107.3.0/24
13.107.8.0/24
13.107.17.0/24
13.107.64.0/18
13.107.242.0/24
23.97.78.16/32
23.99.101.118/32
23.99.112.73/32
23.99.113.163/32
23.99.121.38/32
23.101.61.176/32
23.101.112.170/32
23.101.151.89/32
40.69.45.108/32
40.74.62.125/32
40.74.113.62/32
40.74.129.215/32
40.74.130.253/32
40.74.143.94/32
40.76.77.68/32
40.78.98.202/32
40.78.146.128/32
40.83.17.24/32
40.83.124.144/32
40.84.28.125/32
40.113.87.220/32
40.114.149.220/32
40.115.1.44/32
40.117.100.83/32
40.117.145.132/32
40.118.214.164/32
40.118.253.51/32
40.122.44.96/32
40.122.165.60/32
40.123.43.195/32
40.127.129.109/32
40.127.169.165/32
51.140.51.73/32
51.140.62.120/32
51.140.79.167/32
51.140.126.38/32
51.141.13.77/32
51.141.28.50/32
51.141.42.151/32
51.141.49.0/32
52.112.0.0/14
52.163.225.1/32 Was this information helpful? Yes No
×
the Internet and ExpressRoute through the Internet only
52.163.230.187/32
52.163.231.50/32
52.165.150.215/32
52.166.61.83/32
52.169.9.241/32
52.172.220.246/32
52.174.186.47/32
52.175.37.105/32
52.178.114.127/32
52.178.179.194/32
52.178.186.230/32
52.178.198.107/32
52.179.139.166/32
52.183.117.84/32
52.187.79.90/32
104.40.91.215/32
104.41.208.54/32
104.44.195.0/24
104.44.200.0/23
104.45.18.178/32
104.45.231.95/32
104.46.62.41/32
104.47.151.128/32
104.208.28.54/32
104.208.31.113/32
104.209.188.207/32
104.210.9.95/32
104.211.188.146/32
137.116.66.252/32
137.116.248.105/32
137.117.109.221/32
137.117.128.25/32
168.61.145.101/32
168.61.155.249/32
168.63.245.120/32
<Back to top>
SharePoint Online and OneDrive for Business

To use SharePoint Online or OneDrive for Business, you must be able to connect to the endpoints marked
required below. Destinations with a yes in the ExpressRoute for Office 365 BGP Communities column are
advertised over ExpressRoute and the Internet.
SharePoint Online and OneDrive for Business FQDNs

All '.sharepoint.com' FQDNs with '<tenant>' in the FQDN need to be in your client's IE Trusted Sites Zone to
function. In addition to the suite-wide FQDNs, CDNs, and telemetry listed above, you'll need to also add these
endpoints.

×
Source | ExpressRoute
365 BGP
Communities
1 Required: suite-wide see Office 365 required entries for shared

services, local egress, services and authentication
local DNS resolution,
and CRLs.
2 Required: Office see Office Online

Online.
*.sharepoint.com
3 Required: SharePoint client or server / yes SharePoint TCP
*.svc.ms
Online and logged on user <tenant>.sharepoint.com Online IP 80
associated <tenant>-my.sharepoint.com Ranges. &
<tenant>-files.sharepoint.com
applications. 443
<tenant>-myfiles.sharepoint.com
*.sharepointonline.com
4 Required: CDNs for client or server / no N/A TCP
cdn.sharepointonline.com
SharePoint Online logged on user static.sharepointonline.com 80
and associated spoprod-a.akamaihd.net &
publiccdn.sharepointonline.com
applications 443
privatecdn.sharepointonline.com
admin.onedrive.com
5 Required: OneDrive client or server / no N/A TCP
officeclient.microsoft.com
for Business admin & logged on user odc.officeapps.live.com 80
Sharing from the skydrive.wns.windows.com &
Sync client 443
oneclient.sfx.ms
6 Required: CDN client or server / no N/A TCP
endpoint for logged on user 80
OneDrive for &
Business update 443
verification and
download
*.log.optimizely.com
7 Optional: OneDrive client or server / no N/A TCP
click.email.microsoftonline.com
for Business: logged on user ssw.live.com 443
supportability, storage.live.com
telemetry, APIs, and
embedded email
links
*.search.production.us.trafficmanager.net
8 Optional: SharePoint The crawler on no N/A TCP
*.search.production.emea.trafficmanager.net
Hybrid Search - the on-prem SP *.search.production.apac.trafficmanager.net 443
Endpoint to authenticates to
SearchContentService SCS as the
where the hybrid tenant that
crawler feeds does the
documents

×
9 Optional: SharePoint The Host accounts.accesscontrol.windows.net no N/A TCP
Hybrid Search - Controller/Node 443
Endpoint to Runner Account
SearchContentService on the on-prem
to successfully SP server.
authenticate to
remote farm with
OAuth authentication
and authorization.
provisioningapi.microsoftonline.com
10 Optional: SharePoint Global admin or yes Authentication TCP
Hybrid Search - equivalent and Identity IP 443
Required for credentials on ranges
onboarding script to the tenant for
connect to Office 365 which Hybrid
Provisioning Web Search is being
Services. configured
Note: The domains and nodes that the wildcards such as *.sharepoint.com, *.sharepointonline.com, & *.svc.ms
represent are a list of application, functional, and regional domains and nodes used by SharePoint Online. All
of these sub-domains and nodes are subject to change at any time as the service improves.
Expand to see the SharePoint Online IP Addresses
<Back to top>
Additional Office 365 services

Including Office 365 Video, Microsoft Stream, Planner, Sway, Yammer, and Office 365 ProPlus, and other client
software. To use any of these services, in addition to the suite-wide FQDNs, CDNs, and telemetry listed above,
you must be able to connect to the endpoints marked required in the tables below. The destination port is
TCP 443 unless otherwise noted. None of the following services are advertised over Azure ExpressRoute for
Office 365.
Yammer
Yammer is only available in the browser and requires the authenticated user to be passed through a proxy. All
Yammer FQDNs need to be in your client's IE Trusted Sites Zone to function.
Row Purpose Destination CIDR Address
1 Required: suite-wide see Office 365 required entries for shared services and

×
2 Required: Yammer *.yammer.com 13.107.6.158/31
*.yammerusercontent.com 13.107.9.158/31
40.78.62.210/32
134.170.148.0/22
*.assets-yammer.com
3 Required: Yammer N/A
CDN
Note: The domains and nodes that the wildcards such as *.yammer.com, *.yammerusercontent.com, &
*.assets-yammer.com represent are a list of application, functional, and regional domains and nodes used by
Yammer. Some are dynamically assigned and all of these sub-domains and nodes are subject to change at
any time as the service improves.
Planner
Planner is only available in the browser and requires the authenticated user to be passed through a proxy. In
addition to the suite-wide FQDNs, CDNs, and telemetry listed above, you'll need to also add these endpoints.
Row Purpose Destination CIDR Address
1 Required: suite-wide see Office 365 required entries for shared services and
services authentication
tasks.office.com 13.107.6.160/32
2 Required: Planner
cus-000.tasks.osi.office.net 13.107.9.160/32
ea-000.tasks.osi.office.net 23.97.56.236/32
eus-zzz.tasks.osi.office.net 23.97.78.215/32
neu-000.tasks.osi.office.net 40.76.80.180/32
sea-000.tasks.osi.office.net 40.112.223.206/32
weu-000.tasks.osi.office.net 40.127.139.229/32
wus-000.tasks.osi.office.net 104.40.214.0/32
104.43.235.252/32
ajax.aspnetcdn.com
3 Required: Planner N/A
CDNs
Sway
Sway is only available in the browser and requires the authenticated user to be passed through a proxy. In
addition to the suite-wide FQDNs, CDNs, and telemetry listed above, you'll need to also add these endpoints.
1 Required: suite-wide services see Office 365 required entries for shared services and
authentication
sway.com
2 Required: Sway
www.sway.com

×
eus-002.www.sway.com
eus-00a.www.sway.com
eus-00b.www.sway.com
eus-00c.www.sway.com
eus-00d.www.sway.com
eus-00e.www.sway.com
wus-www.sway.com
wus-000.www.sway.com
wus-00a.www.sway.com
wus-00b.www.sway.com
wus-00c.www.sway.com
wus-00d.www.sway.com
wus-00e.www.sway.com
eus-www.sway-cdn.com
3 Required: Sway CDNs
wus-www.sway-cdn.com
eus-www.sway-extensions.com
wus-www.sway-extensions.com
www.google-analytics.com
4 Optional: Sway website analytics
5 Optional: Sway third party access to third party content such as Bing, Flickr, and so on
content
Note: Instead of a wildcard, we've listed every regional and functional FQDN for Sway to help convey what
the other regional, application, and functional wildcards represent for endpoints published in this article.
Office 365 Video and Microsoft Stream
Office 365 Video and Microsoft Stream are only available in the browser and requires the authenticated user
to be passed through a proxy. CIDR formatted IP addresses are not available for either Office 365 Video or
Microsoft Stream.
1 Required: suite-wide services see Office 365 required entries for shared services
and authentication
2 Required: SharePoint Online endpoints listed see SharePoint Online

×
3 Required: Office 365 Video *.keydelivery.mediaservices.windows.net
*.streaming.mediaservices.windows.net
(using Azure Media Services including CDNs

associated with Azure Media Services)
ajax.aspnetcdn.com
4 Required: Office 365 Video CDNs
r3.res.outlook.com
spoprod-a.akamaihd.net
*.api.microsoftstream.com
5 Required: Microsoft Stream. (needs the AAD
*.cloudapp.net
user token) *.notification.api.microsoftstream.com
amp.azure.net
api.microsoftstream.com
az416426.vo.msecnd.net
s0.assets-yammer.com
vortex.data.microsoft.com
web.microsoftstream.com
*.streaming.mediaservices.windows.net
7 Required: Microsoft Stream -
unauthenticated (content is encrypted)
(using Azure Media Services including CDNs

associated with Azure Media Services)
amsglob0cdnstream11.azureedge.net
8 Required: Microsoft Stream CDN
cdn.optimizely.com
9 Optional: Microsoft Stream 3rd party
nps.onyx.azure.net
integration (including CDNs)
Note: The nodes that the wildcards such as *.keydelivery.mediaservices.windows.net &

*.streaming.mediaservices.windows.net represent are dynamic entries for video storage and retrieval.
Office 2016 for Mac, Office 365 ProPlus, and mobile clients
1 Office 2016 for To understand Office 2016 for Mac endpoint requirements, refer to our
Mac reference article Network requests in Office 2016 for Mac.
2 Office 365 To understand Office client network requests including, Office 365 ProPlus,
ProPlus and Office 2016 for Windows, Outlook App for iOS and Windows, and OneNote refer
Mobile clients to the article Network requests in Office and Mobile clients.
How are changes to this page made and how can I be notified?
Office 365 endpoints are published at the end of each month with 30 days notice. Occasionally emergency
changes will occur outside of the end of month publishing or with shorter notice periods. When an endpoint
is added, the effective date listed in the RSS feed

×
How to use the ExpressRoute for Office 365 column
The endpoints listed as a Yes in the ExpressRoute for Office 365 column are available both over the internet
and over ExpressRoute with Microsoft peering configured. Some services that Office 365 leverages are also
available with Public peering configured and those are noted here; however, Public peering is not required to
use ExpressRoute with Office 365 for the Office 365 applications supported over ExpressRoute.
Want to provide feedback about Office 365 endpoints?
There's a lot of information on this page, can we present it to you in a simpler way?
Please consider voicing your thoughts at the bottom of this page, under the heading Was this information
helpful? Click yes or no and enter detailed feedback. The more feedback we get from you the easier it will be
for us to improve the page.
<Back to top>
Here’s a short link you can use to come back: https://aka.ms/o365endpoints
New to Office 365?

Discover free video courses for Office 365 admins and IT pros, brought to you by LinkedIn Learning.
Related Topics
Network connectivity to Office 365
Managing Office 365 endpoints
Troubleshooting Office 365 connectivity
Client connectivity
Content delivery networks
Microsoft Azure Datacenter IP Ranges
Microsoft Public IP Space
Connect with an Expand your skills

expert EXPLORE TRAINING
CONTACT US

×
What's new Store & Support Education Enterprise Developer Company
Surface Book 2 Account profile Microsoft in education Microsoft Azure Microsoft Visual Studio Careers
New Surface Pro Download Center Office for students Enterprise Windows Dev Center About Microsoft
Xbox One X Sales & support Office 365 for schools Data platform Developer Network Company news
Xbox One S Extended holiday returns Deals for students & Find a solutions provider TechNet Privacy at Microsoft
educators
VR & mixed reality Order tracking Microsoft partner resources Microsoft Virtual Academy Investors
Microsoft Azure in
Windows 10 apps Store locations education Microsoft AppSource Microsoft developer Diversity and inclusion
program
Office apps Support Manufacturing & resources Accessibility
Channel 9
12 Days of Deals Buy online, pick up in store Financial services Security
Office Dev Center
English (United States) Contact Us Privacy & Cookies Terms of use & sale Trademarks Office accessibility Legal © Microsoft 2017

×

Support - Office.com En-Us Article Office-365-URLs-and-IP PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Support - Office.com En-Us Article Office-365-URLs-and-IP PDF

Uploaded by

Copyright:

Available Formats

Search Office help

Buy Office 365

Apps Products Resources

Office 365 enterprise

Set up Office 365 services

Setup overview for enterprises

Configure services and applications

Release options in Office 365

Network planning and performance

URLs and IP address ranges

Office 365 integration

About Office 365 identity

Migrate data to Office 365

Deploy Office clients

Security & Compliance

Health and support

Office 365 URLs and IP address ranges

Was this information helpful? Yes No

Portal and shared FQDNs

Row Purpose Destination ExpressRoute CIDR Address Port

Was this information helpful? Yes No

Was this information helpful? Yes No

Note: Many specific FQDNs within

Was this information helpful? Yes No

Expand to see the portal and shared IP Addresses

13.65.240.22/32 13.64.196.27/32 2603:1020:200::682f:a1d8/128

Was this information helpful? Yes No

13.93.164.45/32 40.76.1.176/32 2603:1040:401::57/128

Was this information helpful? Yes No

Expand to see Azure Rights Management (RMS)

Row Purpose Destination

Was this information helpful? Yes No

3 Optional: Azure Rights Management 1

4 Optional: Rights Management *.aadrm.com

Source of network requests: On-

Expand to see the Certificate Revocation List FQDNs

Office 365 Certificate Revocation List (Root URLs)

Office 365 authentication and identity

Authentication and identity FQDNs

Row Purpose Source | Destination ExpressRoute CIDR Address Port

1 Required: Certificate see the well known certificate root

Was this information helpful? Yes No

Was this information helpful? Yes No

Expand to see the authentication and identity IP Addresses

Was this information helpful? Yes No

Was this information helpful? Yes No

Office Online FQDNs

Was this information helpful? Yes No

Row Purpose Destination ExpressRoute for CIDR

1 Required: suite- see Office 365 required entries for

Expand to see the Office Online IP Addresses

Exchange Online FQDNs

Row Purpose Source | Destination ExpressRoute CIDR Address Port

Was this information helpful? Yes No

2 Required: EOP see Exchange Online Protection (EOP)

Messaging/SBC Border 157.55.9.128/25 for inbound,

7 Optional: Exchange customer on-premises Exchange yes Customer IP TCP 443

Was this information helpful? Yes No

Was this information helpful? Yes No

Expand to see the Exchange Online IP Addresses

Exchange Online Protection FQDNs

Row Purpose Source | Destination CIDR Address Port

1 Required: see Office 365 required entries for