Professional Documents
Culture Documents
Support - Office.com En-Us Article Office-365-URLs-and-IP PDF
Support - Office.com En-Us Article Office-365-URLs-and-IP PDF
Install
Templates
Account
Support
Training
Admin
Azure integration
Domains
Manage services
Hybrid environments
Summary: Office 365 requires connectivity to the Internet. The endpoints below should be reachable for
customers using Office 365 plans, including Government Community Cloud (GCC).
Office 365 Worldwide (+GCC) | Office 365 operated by 21 Vianet | Office 365 Germany | Office 365 U.S.
Government DoD | Office 365 U.S. Government GCC High |
1 Required: Internet egress and see well known certificate root CRLs in the table no N/A TCP 80
DNS resolution as close to the below. and Office 365 certificate chains for more 443
user as possible. Ensure public information.
resources such as certificate
revocation lists are accessible.
*.office365.com 2
2 Required: Office 365 portal no portal and TCP 443
shared IP ranges
*.portal.cloudappsecurity.com
3 Required: Office 365 portal yes portal and TCP 443
*.us.portal.cloudappsecurity.com
and shared infrastructure *.eu.portal.cloudappsecurity.com shared IP ranges
(including Cloud App Security *.us2.portal.cloudappsecurity.com & Exchange
<tenant>.onmicrosoft.com
and Delve) Online IP ranges.
account.office.net
agent.office.net
apc.delve.office.com
aus.delve.office.com
can.delve.office.com
delve.office.com
eur.delve.office.com
gbr.delve.office.com
home.office.com
ind.delve.office.com
jpn.delve.office.com
kor.delve.office.com
lam.delve.office.com
nam.delve.office.com
portal.office.com
outlook.office365.com
suite.office.net
webshell.suite.office.com
www.office.com
*.aria.microsoft.com
4 Required: Office 365 aria yes Skype for TCP 443
browser.pipe.aria.microsoft.com
service (used with Skype for mobile.pipe.aria.microsoft.com Business IP
Business Onlnine, Microsoft ranges.
Teams, StaffHub, Outlook
App, and other services.
amp.azure.net
6 Required: shared no N/A TCP 443
auth.gfx.ms
infrastructure, help, and CDNs appsforoffice.microsoft.com
assets.onestore.ms
az826701.vo.msecnd.net
c.microsoft.com
c1.microsoft.com
client.hip.live.com
contentstorage.osi.office.net
dgps.support.microsoft.com
docs.microsoft.com
groupsapi-prod.outlookgroups.ms
groupsapi2-prod.outlookgroups.ms
groupsapi3-prod.outlookgroups.ms
groupsapi4-prod.outlookgroups.ms
msdn.microsoft.com
platform.linkedin.com
products.office.com
prod.msocdn.com
r1.res.office365.com
r4.res.office365.com
res.delve.office.com
shellprod.msocdn.com
support.content.office.net
support.microsoft.com
support.office.com
technet.microsoft.com
templates.office.com
video.osi.office.net
videocontent.osi.office.net
videoplayercdn.osi.office.net
*.manage.office.com
7 Required: Security and yes portal and TCP 443
*.protection.office.com
Compliance Center including manage.office.com shared IP ranges
audit APIs protection.office.com
equivioprod*.cloudapp.net
8 Optional: Security and no N/A TCP 443
equivio.office.com
Compliance Center advanced office365zoom.cloudapp.net
eDiscovery. zoom-cs-prod*.cloudapp.net
*.blob.core.windows.net
9 Optional: Security and no N/A TCP 443
Compliance Center
eDiscovery export
*.helpshift.com
10 Optional: 3rd party office no N/A TCP 443
*.localytics.com
integration. (including CDNs) analytics.localytics.com
api.localytics.com
connect.facebook.net
firstpartyapps.oaspapps.com
outlook.uservoice.com
prod.firstpartyapps.oaspapps.com.akadns.net
rink.hockeyapp.net
sdk.hockeyapp.net
telemetryservice.firstpartyapps.oaspapps.com
web.localytics.com
webanalytics.localytics.com
liverdcxstorage.blob.core.windowsazure.com
12 Optional: Microsoft Azure no N/A TCP 443
telemetry.remoteapp.windowsazure.com
RemoteApp vortex.data.microsoft.com
www.remoteapp.windowsazure.com
*.blob.core.windows.net
13 Optional: no N/A TCP 443
*.hockeyapp.net
*.sharepointonline.com
*.staffhub.office.com
Graph.windows.net
api.office.com
enterpriseregistration.windows.net
Office 365 Management dc.applicationinsights.microsoft.com
Pack for Operations dc.services.visualstudio.com
Manager forms.microsoft.com
forms.office.com
graph.windows.net
SecureScore manage.office.com
mem.gfx.ms
Azure AD Device office365servicehealthcommunications.cloudapp.net
Registration securescore.office.com
signup.microsoft.com
staffhub.ms
Forms staffhubweb.azureedge.net
staffhub.office.com
StaffHub staffhub.uservoice.com
weu-000.forms.osi.office.net
Application Insights wus-000.forms.osi.office.net
neu-000.forms.osi.office.net
eus2-000.forms.osi.office.net
captcha services
ea-000.forms.osi.office.net
watson.telemetry.microsoft.com
wu.client.hip.live.com
14 Optional: Import Service for refer to the import service for additional
PST and file ingestion requirements.
testconnectivity.microsoft.com 13.67.59.89/32
15 Optional: Remote no TCP 80
40.69.150.142/32
Connectivity Analyzer - 40.85.91.8/32 443
Initiate connectivity tests. 104.211.54.99/32
104.211.54.134/32
16 Optional: Remote on-premises systems for email and no customer IP 80, 443
Connectivity Analyzer - collaboration. ranges POP3 o
Execution of the tests selected (110, 99
by the customer. Custom
IMAP4
source of network requests: (143, 99
testconnectivity.microsoft.com
Custom
o365diagnosticsbasic-
eus.cloudapp.net
(104.211.54.99)
o365diagnosticworker-
eus.cloudapp.net
(104.211.54.134)
1
Keep in mind that Machine accounts won’t work with proxies that require outbound authentication.
2
There are specific sub-FQDNs within this domain that are available on ExpressRoute, learn more by reading
the section, Deciding which applications and features route over ExpressRoute.
Note: The domains and nodes that the wildcards such as *.office365.com & *.portal.cloudappsecurity.com
represent are a list of application, functional, and regional domains and nodes used for the Office 365 suite.
Some are dynamically assigned and all of these sub-domains and nodes are subject to change at any time as
the service improves. Other wildcards such as *.office.com, *.office.net, *.onmicrosoft.com, *.microsoft.com, &
*.msocdn.com are used to capture the long list of shared Microsoft-wide services that Office 365 relies on at
times and can be treated as general Internet traffic where a specific FQDN is not defined. The wildcards used
in the advanced eDiscovery service such as equivioprod*.cloudapp.net and zoom-cs-prod*.cloudapp.net
represent a long list of FQDNs such as equivioprod-4.cloudapp.net.
Office 365 portal and shared Office 365 portal and Office 365 portal and shared IPv6
IPv4 endpoints routable shared IPv4 endpoints endpoints routable through the Internet
through the Internet and routable through the only
ExpressRoute Internet only
52.233.242.192/32 2a01:111:f406:1000::/64
65.52.144.46/32 2a01:111:f406:1004::/64
65.52.176.186/32 2a01:111:f406:1801::/64
65.52.192.203/32 2a01:111:f406:1805::/64
65.52.220.46/32 2a01:111:f406:3404::/64
65.52.240.200/32 2A01:111:f406:8000::/64
65.55.239.168/32 2a01:111:f406:8801::/64
70.37.96.155/32 2a01:111:f406:a003::/64
94.245.88.28/32 2a01:111:f406:c00::/64
94.245.117.53/32
104.40.178.127/32
104.40.179.160/32
104.40.211.46/32
104.42.225.143/32
104.42.230.91/32
104.43.21.58/32
104.45.225.7/32
104.47.156.62/32
104.211.160.244/32
104.214.107.57/32
104.214.144.62/32
104.214.144.252/32
104.214.145.126/32
104.214.145.173/32
104.214.146.199/32
104.215.28.42/32
111.221.96.149/32
111.221.104.43/32
137.116.156.3/32
137.116.248.150/32
137.117.17.124/32
138.91.61.107/32
157.55.139.177/32
157.55.145.0/25
157.55.155.0/25
157.55.212.37/32
157.55.227.192/26
168.61.149.234/32
168.62.104.83/32
168.62.106.224/32
168.63.92.133/32
191.235.95.142/32
191.238.160.173/32
207.46.73.250/32
207.46.140.244/32
207.46.141.38/32
207.46.156.124/32
207.46.216.54/32
213.199.128.119/32
The endpoints listed in this section are required if you're using Azure Rights Management. Requests originate
from browsers, clients, and servers and requires the authenticated user to be passed. In addition to the suite-
wide FQDNs, CDNs, and telemetry listed above, you'll need to also add these endpoints. Azure RMS requires
port 443 for all communications, does not rely on CDNs, has no published IP addresses, and is not accessible
over ExpressRoute for Office 365.
1
Azure Rights Management Office 2010 Clients Only.
Note: The domains and nodes that the wildcards such as *.aadrm.com & *.azurerms.com
represent are a list of application, functional, and regional domains and nodes used for rights
management functionality. Some are dynamically assigned and all of these sub-domains and
nodes are subject to change at any time as the service improves.
See our article on the Office 365 certificate chains for a more detailed view of the certificate chains including
downloadable p7b.
*.entrust.net
*.geotrust.com
*.omniroot.com
*.public-trust.com
*.symcb.com
*.symcd.com
*.verisign.com
*.verisign.net
aia.entrust.net
apps.identrust.com
cacert.a.omniroot.com
cacert.omniroot.com
cacerts.digicert.com
cdp1.public-trust.com
cert.int-x3.letsencrypt.org
crl.entrust.net
crl.globalsign.com
crl.globalsign.net
crl.identrust.com
crl.microsoft.com
crl3.digicert.com
crl4.digicert.com
EVIntl-aia.verisign.com
EVIntl-crl.verisign.com
EVIntl-ocsp.verisign.com
evsecure-aia.verisign.com
EVSecure-crl.verisign.com
EVSecure-ocsp.verisign.com
isrg.trustid.ocsp.identrust.com
mscrl.microsoft.com
ocsp.digicert.com
ocsp.entrust.net
ocsp.globalsign.com
ocsp.int-x3.letsencrypt.org
ocsp.msocsp.com
Was this information helpful? Yes No
×
ocsp.omniroot.com
Office 365 Certificate Revocation List (Root URLs)
ocsp2.globalsign.com
ocspx.digicert.com
s1.symcb.com
s2.symcb.com
sa.symcb.com
sd.symcb.com
secure.globalsign.com
sr.symcb.com
sr.symcd.com
su.symcb.com
su.symcd.com
vassg142.crl.omniroot.com
vassg142.ocsp.omniroot.com
www.digicert.com
www.microsoft.com
Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange
Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics
CRM IP | Dynamics CRM URI | Power BI
Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients |
Microsoft Intune | Microsoft PowerApps | Microsoft Flow
<Back to top>
The FQDN secure.aadcdn.microsoftonline-p.com needs to be in your client's IE Trusted Sites Zone to function.
ccs.login.microsoftonline.com
3 Required: client or yes Exchange TCP 80 &
ccs-sdf.login.microsoftonline.com
authentication and server / Online IP 443
identity logged on ranges
user
accounts.accesscontrol.windows.net
4 Required: client or no N/A TCP 443
secure.aadcdn.microsoftonline-p.com
authentication and server /
identity logged on
user
*.msecnd.net
5 Optional: client or no N/A TCP 443
*.microsoftonline.com
Legacy/temporary server / *.microsoftonline-p.com
FQDNs (including CDNs) logged on *.microsoftonline-p.net
*.windows.net
user
account.activedirectory.windowsazure.com
6 Optional: Multi-factor client or no N/A TCP 443
secure.aadcdn.microsoftonline-p.com
authentication (MFA) server /
logged on
user
adminwebservice.microsoftonline.com
7 Optional: Azure AD Azure AD yes Authentication TCP 443
login.windows.net
Connect and DirSync Connect provisioningapi.microsoftonline.com and Identity IP
server | ranges
Service
Account
*.microsoftonline.com
8 Optional: Azure AD Azure AD no N/A TCP 80 &
mscrl.microsoft.com
Connect and DirSync Connect secure.aadcdn.microsoftonline-p.com 443
server |
Service
Account
9 Optional: Azure AD client or customer STS environment (AD FS no customer TCP 80 &
Connect (w/SSO option) server / Server and AD FS Proxy) | Ports TCP 80 environment 443
– WinRM & remote logged on & 443
powershell user
11 Optional: AD FS Proxy customer customer AD FS server (FS) | Port TCP no customer TCP 443
server(s) (for federated AD FS 443 environment
customers only) Proxy
(WAP) |
N/A
*.adhybridhealth.azure.com
12 Optional: Azure AD Azure AD no N/A TCP 443
*.blob.core.windows.net
Connect Health Connect *.table.core.windows.net
(including CDNs) Health *.queue.core.windows.net
*.servicebus.windows.net
server |
*.servicebus.windows.net Service management.azure.com
policykeyservice.dc.ad.msft.net
uses TCP 5671 (If 5671 is Account secure.aadcdn.microsoftonline-p.com
blocked, agent falls back
to 443, but using 5671 is
recommended.)
login.microsoftonline.com
13 Optional: Azure AD Azure AD yes Authentication TCP 443
login.windows.net
Connect Health Connect and Identity IP
Health ranges
server |
Service
Account
Note: The sub-FQDN login.windows.net is advertised via Expressroute and included in the office 365 BGP
communities. Also keep in mind that Machine accounts won’t work with proxies that require outbound
authentication.
Office 365 authentication and identity IPv4 Office 365 authentication and identity IPv6 endpoints
endpoints routable through the Internet and routable through the Internet only
ExpressRoute
13.67.50.224/29 2603:1020:201::4a0/128
13.71.201.64/26 2603:1020:201::4a1/128
13.106.4.128/25 2603:1020:201::4a2/128
13.75.48.16/29 2603:1020:201::4a3/128
13.75.80.16/29 2603:1020:201::4a4/128
13.106.56.0/25 2603:1020:201::4a5/128
20.190.128.0/18 2603:1020:201::4a6/128
23.100.16.168/29 2603:1020:201::4a7/128
23.100.32.136/29 2603:1020:201::4aa/128
23.100.64.24/29 2603:1020:201::581/128
23.100.72.32/29 2603:1020:201::583/128
23.100.80.64/29 2603:1020:201::584/128
23.100.88.32/29 2603:1020:201::586/128
23.100.101.112/28 2603:1020:201::588/128
23.100.104.16/28 2603:1020:201::589/128
23.100.112.64/29 2603:1020:201::58a/128
23.101.144.136/29 2603:1020:201:2::/64
23.101.165.168/29 2603:1020:201:3::/64
23.101.181.128/29 2603:1030:7::2c/128
23.101.210.24/29 2603:1030:7::2d/128
23.101.222.240/28 2603:1030:7::2f/128
23.101.224.16/29 2603:1030:7::30/128
23.101.226.16/28 2603:1030:7::34/128
40.112.64.16/28 2603:1030:7::3f/128
40.113.192.16/29 2603:1030:7::40/128
40.114.120.16/29 2603:1030:7::41/128
40.115.152.16/28 2a01:111:2005:6::/64
40.127.67.24/29 2a01:111:f100:1002::4134:d89f/128
40.126.0.0/18 2a01:111:f100:1002::4134:d944/128
52.172.144.16/28 2a01:111:f100:1002::4134:d95f/128
65.52.1.16/29 2a01:111:f100:1002::4134:da55/128
65.52.193.136/29 2a01:111:f100:1002::4134:da5c/128
65.54.170.128/25 2a01:111:f100:1002::4134:da81/128
104.40.240.48/28 2a01:111:f100:1002::4134:dab5/128
104.41.13.120/29 2a01:111:f100:1002::4134:daee/128
104.41.216.16/28 2a01:111:f100:1002::4134:db2a/128
104.42.72.16/29 2a01:111:f100:1002::4134:db60/128
104.43.208.16/29 2a01:111:f100:1002::4134:db89/128
104.43.240.16/29 2a01:111:f100:1002::4134:dbe7/128
104.44.218.128/25 2a01:111:f100:1002::4134:dc2d/128
104.44.254.128/25 2a01:111:f100:1002::4134:dc2e/128
104.44.255.0/25 2a01:111:f100:1002::4134:dc43/128
104.45.0.16/28 2a01:111:f100:1002::4134:dc6e/128
104.45.208.104/29 2a01:111:f100:1002::4134:dd7a/128
104.46.112.8/29 2a01:111:f100:1002::4134:ddcb/128
104.46.224.64/28 2a01:111:f100:2002::8975:2c3b/128
104.209.144.16/29 2a01:111:f100:2002::8975:2c3f/128
104.210.48.8/29 2a01:111:f100:2002::8975:2c6d/128
104.210.83.160/29 2a01:111:f100:2002::8975:2cdd/128
104.210.208.16/29 2a01:111:f100:2002::8975:2cea/128
104.211.16.16/29 2a01:111:f100:2002::8975:2ced/128
104.211.48.16/29 2a01:111:f100:2002::8975:2d08/128
104.211.88.16/28 2a01:111:f100:2002::8975:2d19/128
104.211.216.32/27 2a01:111:f100:2002::8975:2d25/128
104.215.96.24/29 2a01:111:f100:2002::8975:2d4d/128
104.215.144.64/29 2a01:111:f100:2002::8975:2d6a/128
104.215.184.16/29 2a01:111:f100:2002::8975:2d97/128
132.245.165.0/25 2a01:111:f100:2002::8975:2daa/128
134.170.67.0/25 2a01:111:f100:2002::8975:2dc7/128
134.170.172.128/25 2a01:111:f100:3002::8987:30a0/128
157.55.45.128/25 2a01:111:f100:3002::8987:3103/128
157.55.59.128/25 2a01:111:f100:3002::8987:3278/128
157.55.130.0/25 2a01:111:f100:3002::8987:328f/128
157.55.145.0/25 2a01:111:f100:3002::8987:3299/128
157.55.155.0/25 2a01:111:f100:3002::8987:3344/128
157.55.227.192/26 2a01:111:f100:3002::8987:3396/128
157.56.53.128/25 2a01:111:f100:3002::8987:3398/128
157.56.55.0/25 2a01:111:f100:3002::8987:33b3/128
157.56.58.0/25 2a01:111:f100:3002::8987:33ec/128
157.56.151.0/25 2a01:111:f100:3002::8987:34eb/128
191.232.2.128/25 2a01:111:f100:3002::8987:34f8/128
191.237.248.32/29 2a01:111:f100:3002::8987:353b/128
191.237.252.192/28 2a01:111:f100:3002::8987:35b5/128
2a01:111:f100:4001::4625:a3ee/128
2a01:111:f100:4001::4625:a4b6/128
2a01:111:f100:4001::4625:a4ba/128
2a01:111:f100:4001::4625:a4c7/128
2a01:111:f100:4001::4625:a4cf/128
2a01:111:f100:4001::4625:a4ee/128
2a01:111:f100:4001::4625:a56f/128
2a01:111:f100:4001::4625:a589/128
2a01:111:f100:7000::6fdd:6a44/128
2a01:111:f100:7000::6fdd:6b96/128
2a01:111:f100:7000::6fdd:6d1c/128
2a01:111:f100:7000::6fdd:6d23/128
2a01:111:f100:7000::6fdd:6d50/128
2a01:111:f100:7000::6fdd:6d88/128
2a01:111:f100:a004::bfeb:8a92/128
2a01:111:f100:a004::bfeb:8ab0/128
2a01:111:f100:a004::bfeb:8b12/128
2a01:111:f100:a004::bfeb:8b15/128
2a01:111:f100:a004::bfeb:8b3c/128
2a01:111:f100:a004::bfeb:8b47/128
2a01:111:f100:a004::bfeb:8b6c/128
2a01:111:f100:a004::bfeb:8beb/128
2a01:111:f100:a004::bfeb:8c55/128
2a01:111:f100:a004::bfeb:8c6d/128
2a01:111:f100:a004::bfeb:8c6f/128
2a01:111:f100:a004::bfeb:8c88/128
2a01:111:f100:a004::bfeb:8cc0/128
2a01:111:f100:a004::bfeb:8cdc/128
2a01:111:f100:a004::bfeb:8d83/128
2a01:111:f100:a004::bfeb:8d96/128
2a01:111:f100:a004::bfeb:8daa/128
2a01:111:f102:8001::1761:4929/128
2a01:111:f102:8001::1761:4948/128
2a01:111:f102:8001::1761:4b83/128
2a01:111:f102:8001::1761:4f0d/128
2a01:111:f102:8001::1761:4f32/128
2a01:111:f102:8001::1761:4f64/128
2a01:111:f102:8001::1761:4f8d/128
2a01:111:f102:8001::1761:4fc0/128
2a01:111:f400::/48
2001:df0:d9:200::/64
2603:1047:100::/64
2a01:111:2035:8::/64
2a01:111:200a:a::/64
2a01:111:f406:1::/64
2a01:111:f406:2::/64
2a01:111:f406:1004::/64
2a01:111:f406:1805::/64
2a01:111:f406:3404::/64
2A01:111:F406:8000::/64
2a01:111:f406:8801::/64
2a01:111:f406:a003::/64
2A01:111:F406:C00::/64
Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange
Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics
CRM IP | Dynamics CRM URI | Power BI
Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients |
Microsoft Intune | Microsoft PowerApps | Microsoft Flow
<Back to top>
Office Online
Office Online is only available in the browser and requires the authenticated user to be passed through any
proxies. Office Online only requires TCP Port 443. In addition to the suite-wide FQDNs, CDNs, and telemetry
listed above, you'll need to also add these endpoints.
*broadcast.officeapps.live.com
2 Required: Office yes Office
*excel.officeapps.live.com
Online *onenote.officeapps.live.com Online IP
*powerpoint.officeapps.live.com Ranges.
*view.officeapps.live.com
*visio.officeapps.live.com
*word-edit.officeapps.live.com
*word-view.officeapps.live.com
office.live.com
*.cdn.office.net
3 Required: Content no N/A
contentstorage.osi.office.net
Delivery Network for
Office Web Apps
Note: The domains and nodes that the wildcards such as *visio.officeapps.live.com represent are a list of 20+
regional nodes. Similarly, the wildcard in the *.cdn.office.net entry represents a collection of application,
functional, and regional domains and nodes used only by Office Online. All of these sub-domains and nodes
are subject to change at any time as the service improves.
Office Web Apps IPv4 endpoints routable Office Web Apps IPv6 endpoints routable through
through the Internet and ExpressRoute the Internet only
13.69.187.20/32 2603:1020:201::37/128
13.70.184.242/32 2603:1020:201:9::c6/128
13.71.155.176/32 2603:1030:1000::1d/128
13.75.153.216/32 2603:1030:f00::17/128
13.76.140.48/32 2603:1040:200::5dc/128
13.78.114.39/32 2603:1040:401::762/128
13.85.84.102/32 2603:1040:601::60f/128
13.88.248.161/32 2603:1040:a01::1e/128
13.88.254.212/32 2603:1040:c01::28/128
13.107.6.171/32 2603:1050:1::cd/128
13.107.6.172/32 2620:1ec:a92::171/128
23.98.219.76/32 2a01:111:f100:2002::8975:2d79/128
40.68.166.51/32 2a01:111:f100:2002::8975:2da8/128
40.71.251.78/32 2a01:111:f100:4001::4625:a1c3/128
40.74.130.243/32 2a01:111:f100:4001::4625:a419/128
40.74.138.42/32 2a01:111:f100:7000::6fdd:6cd5/128
40.86.230.88/32 2a01:111:f100:a004::bfeb:8ba7/128
40.87.61.217/32
40.114.192.209/32
40.117.226.146/32
Was this information helpful? Yes No
×
40.126.236.216/32
Office Web Apps IPv4 endpoints routable Office Web Apps IPv6 endpoints routable through
through the Internet and ExpressRoute the Internet only
40.127.79.139/32
51.140.46.128/32
51.140.46.150/32
51.141.1.194/32
51.141.8.160/32
52.108.0.0/14
52.164.242.47/32
52.169.109.48/32
52.172.12.123/32
52.172.13.171/32
52.172.152.100/32
52.172.153.104/32
52.174.190.59/32
52.175.25.142/32
52.232.128.169/32
104.40.225.204/32
104.41.62.54/32
104.214.38.136/32
104.215.194.17/32
137.116.172.39/32
137.135.65.72/32
191.235.84.172/32
191.235.87.181/32
191.237.40.220/32
Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange
Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics
CRM IP | Dynamics CRM URI | Power BI
Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients |
Microsoft Intune | Microsoft PowerApps | Microsoft Flow
<Back to top>
Exchange Online
Destinations with a yes in the ExpressRoute for Office 365 BGP Communities column are advertised over
ExpressRoute and the Internet with the exception of *.outlook.com, there are specific sub-FQDNs within this
domain, such as the CNAME xsi.outlook.com which refers to a CDN that have no published IPs and are not
available over ExpressRoute, there are other sub-domains that are available on ExpressRoute, learn more by
reading the section, Deciding which applications and features route over ExpressRoute.
smtp.office365.com
3 Required: client yes Exchange Online TCP 587
client SMTP computer | IP ranges.
Relay logged on
user
*.outlook.com
4 Required: client or yes Exchange Online TCP 80 & 443
*.outlook.office.com
Exchange on- outlook.office365.com IP ranges.
Online premises autodiscover-<tenant>.outlook.com
(including Exchange
OWA, Outlook, server |
EWS, MRS logged on
migrations, and user or
so on). machine
account
xsi.outlook.com
5 Required: client or no N/A TCP 80 & 443
r1.res.office365.com
Exchange server | r3.res.office365.com
Online CDNs logged on r4.res.office365.com
(including user
OWA, Outlook,
and so on).
*.um.outlook.com 65.55.94.0/25
6 Optional: on- no Any-TCP/UDP
207.46.198.0/25
Exchange premises 213.199.177.0/26
Online Unified Session (Bidirectional
Note: These IP
addresses are
provided for
informational
purposes and are
not included in the
XML.
*.store.core.windows.net
9 Optional: used existing no N/A TCP 80 & 443
asl.configure.office.com
to configure Exchange mshrcstorageprod.blob.core.windows.net
Exchange service | tds.configure.office.com
Hybrid, using N/A
the Exchange
Hybrid
Configuration
Wizard.
Note: These
endpoints are
only required to
configure
Exchange hybrid.
Rows 8-10
describe the
ongoing traffic.
1 40.118.209.192/32
10 Optional: used existing domains.live.com yes TCP 80 & 443
168.62.190.41/32
to configure Exchange
Exchange service | Note: These IP
Hybrid, using N/A addresses are
the Exchange provided for
informational
Hybrid
purposes and are
Configuration
not included in the
Wizard. XML.
Note: These
endpoints are
only required to
configure
Exchange hybrid.
Rows 8-10
describe the
ongoing traffic.
*.outlook.office.com
11 Optional: IMAP4 yes Exchange Online TCP 143/993
outlook.office365.com
Exchange Service | IP ranges.
Online IMAP4 N/A
migration
*.outlook.office.com
12 Optional: POP3 yes Exchange Online TCP 995
outlook.office365.com
Exchange Service | IP ranges.
Online POP3 N/A
migration
1
Only required for Exchange 2010 SP3 Hybrid Configuration Wizard.
Note: The domains and nodes that the wildcards such as *.outlook.office.com & *.um.outlook.com represent
are a list of application, functional, and regional domains and nodes used for Exchange Online functionality.
Note: The domains and nodes that the wildcards such as *.protection.outlook.com represent are a list of
application, functional, and regional domains and nodes used for mail delivery, security, and compliance
functionality. Some are dynamically assigned and all of these sub-domains and nodes are subject to change at
any time as the service improves.
Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange
Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics
CRM IP | Dynamics CRM URI | Power BI
Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients |
Microsoft Intune | Microsoft PowerApps | Microsoft Flow
<Back to top>
The IP Address endpoints listed in the Skype for Business online IP Addresses includes IP’s required for both
Skype for Business online and Teams. If your company also wants to use Microsoft Teams, there is no extra
work required as long as you whitelist all the IPs in this section. The FQDN endpoints listed in the Skype for
Business online FQDNs only covers those FQDNs that are required for Skype for Business online. If your
company wants to use Microsoft Teams, you need to add the FQDNs for Microsoft Teams listed in the
Microsoft Teams section. Destinations with a yes in the ExpressRoute for Office 365 BGP Communities
column are advertised over ExpressRoute and the Internet.
To use Skype for Business Online, you must first enable endpoints for authentication as well as the Office 365
portal and shared service. You must also ensure the endpoints in the Skype for Business Online FQDN and IP
Address tables are reachable. To see the IP addresses, expand the IP address section below the table
describing the traffic flow. Keep in mind that wildcards represent all possible sub-domains under the root.
*.lync.com
2 Required: client yes Skype for Business IP TCP 443
*.cqd.lync.com
Skype for computer | *.infra.lync.com ranges.
Business. logged on *.online.lync.com
*.resources.lync.com
Including SIP user
*.config.skype.com
signaling, *.skypeforbusiness.com
Persistent *.pipe.aria.microsoft.com
Shared config.edge.skype.com
pipe.skype.com
Object s-0001.s-msedge.net
Model s-0004.s-msedge.net
(PSOM)
connections
web
conferencing,
HTTPS
downloads,
and Call
Quality
Dashboard
*.lync.com
3 Required: client yes Skype for Business IP TCP 443,
Optional:
TCP &
UDP
50,000-
59,999
*.lync.com
4 Required: client yes Skype for Business IP TCP 5223
Lync Mobile computer | ranges.
push logged on
notifications user
for Lync
Mobile 2010
on iOS
devices. You
don't need
this for
Android,
Nokia
Symbian or
Windows
Phone
mobile
devices.
*.azureedge.net
5 Required: client no N/A TCP 80 &
*.sfbassets.com
Skype for computer | *.urlp.sfbassets.com 443
Business logged on skypemaprdsitus.trafficmanager.net
CDNs user
quicktips.skypeforbusiness.com
6 Required: client no N/A. TCP 443
swx.cdn.skype.com
Skype client computer |
quicktips & logged on
OWA user
integration
*.api.skype.com
7 Optional: client no SkypeGraph.skype.com TCP 443
*.users.storage.live.com
Federation computer | skypegraph.skype.com IP range information
with Skype logged on
and public user
IM
connectivity:
Contact
picture
retrieval
To use Skype Meeting Broadcast, the following endpoints need to be accessible to client computers.
1 Required: see Skype for Business Online and ensure all entries
Skype for labeled "required" are accessible.
Business
endpoints.
*.broadcast.skype.com
2 Required: client yes Skype TCP
broadcast.skype.com
Skype computer / browser.pipe.aria.microsoft.com for 443
Meeting logged on Business
Broadcast user IP
presenter ranges.
and
attendee
aka.ms
3 Required: client no N/A TCP
amp.azure.net
Skype computer / 443
Meeting logged on
Broadcast user
presenter
and
attendee
*.keydelivery.mediaservices.windows.net
4 Required: client no N/A TCP
*.msecnd.net
Skype computer / *.streaming.mediaservices.windows.net 443
Meeting logged on ajax.aspnetcdn.com
mlccdn.blob.core.windows.net
Broadcast user
presenter
and
attendee
(including
CDNs)
Notes:
The domains and nodes that the wildcards such as *.lync.com, *.config.skype.com, *.broadcast.skype.com,
*.skypeforbusiness.com, *.sfbassets.com, & *.urlp.sfbassets.com represent are a list of application,
functional, and regional domains and nodes used for Skype for Business Online functionality. Some are
dynamically assigned and all of these sub-domains and nodes are subject to change at any time as the
service improves.
The wildcards for mediaservices.windows.net represents a list of media services endpoints associated with
Azure Media Services where video content is pulled from. These endpoints are available via the internet
and Azure Public peering. The wildcard for msecnd.net represents a dynamically generated endpoint within
the CDN that join page libraries are pulled from.
Skype for Business Online IPv4 endpoints routable Skype for Business Online IPv6 endpoints
through the Internet and ExpressRoute routable through the Internet only
13.64.106.229/32 2603:1027::/48
13.67.180.128/32 2603:1029:100::/48
13.70.89.162/32 2603:1037::/48
13.70.156.147/32 2603:1039:100::/48
13.70.159.107/32 2603:1047::/48
13.71.127.197/32 2603:1049:100::/48
13.73.109.13/32 2603:1057::/48
13.73.155.42/32 2620:1ec:6::/48
13.75.154.195/32 2620:01ec:0042::/48
13.75.159.17/32 2620:1ec:40::/42
13.75.159.51/32 2a01:111:2047:2::/64
13.76.188.52/32 2a01:111:2047:1::/64
13.76.189.79/32 2a01:111:2048:2::/64
13.76.241.210/32 2a01:111:2048:1::/64
13.77.7.84/32 2a01:111:f406:3406::/64
13.78.93.8/32 2a01:111:f406:3405::/64
13.78.94.7/32 2a01:111:200f:11::/64
13.78.95.252/32 2a01:111:200f:10::/64
13.78.112.190/32 2a01:111:2007:3::/64
13.79.153.60/32 2a01:111:2007:4::/64
13.91.106.134/32 2a01:111:200f:6::/64
13.91.252.242/32 2a01:111:200f:7::/64
13.93.167.93/32 2a01:111:200f:8::/64
13.95.234.10/32 2a01:111:200f:9::/64
13.107.3.0/24 2a01:111:2012:2::/64
13.107.8.0/24 2a01:111:2012:3::/64
13.107.17.0/24 2a01:111:2012:4::/64
13.107.64.0/18 2a01:111:2012:5::/64
13.107.242.0/24 2a01:111:2012:6::/64
23.97.78.16/32 2a01:111:2012:7::/64
23.99.101.118/32 2a01:111:202a:2::/64
23.99.112.73/32 2a01:111:202a:3::/64
23.99.113.163/32 2a01:111:202b:3::/64
23.99.121.38/32 2a01:111:202b:4::/64
23.101.61.176/32 2a01:111:202b:9::/64
23.101.112.170/32 2a01:111:202b:a::/64
23.101.151.89/32 2a01:111:202f::/48
23.103.176.128/26 2a01:111:2034:2::/64
23.103.176.192/27 2a01:111:2034:3::/64
23.103.178.128/26 2a01:111:2035:6::/64
23.103.178.192/27 2a01:111:2035:7::/64
40.69.45.108/32 2a01:111:2036:2::/64
40.74.62.125/32 2a01:111:2036:3::/64
40.74.113.62/32 2a01:111:203e:1::/64
40.74.129.215/32 2a01:111:203e:2::/64
40.74.130.253/32 2a01:111:2040:1::/64
40.74.143.94/32 2a01:111:2040:2::/64
40.76.77.68/32 2a01:111:2046:4::/64
40.78.98.202/32 2a01:111:2046:5::/64
40.78.146.128/32 2a01:111:2a:7::/64
40.83.17.24/32 2a01:111:2a:8::/64
40.83.124.144/32 2a01:111:f402:5802::/64
40.84.28.125/32 2a01:111:f402:5803::/64
40.113.87.220/32 2a01:111:f402:5805::/64
40.114.149.220/32 2a01:111:f404:0c06::/64
40.115.1.44/32 2a01:111:f404:0c07::/64
40.117.100.83/32 2a01:111:f404:0c09::/64
40.117.145.132/32 2a01:111:f404:0c0a::/64
40.118.214.164/32 2a01:111:f404:3400::/64
40.118.253.51/32 2a01:111:f404:3401::/64
40.121.200.212/32 2a01:111:f404:8002::/64
40.122.44.96/32 2a01:111:f404:8003::/64
40.122.165.60/32 2a01:111:f404:9400::/64
40.123.43.195/32 2a01:111:f404:9401::/64
40.127.129.109/32 2a01:111:f404:a000::/64
40.127.169.165/32 2a01:111:f404:a001::/64
51.140.51.73/32 2a01:111:f404:a800::/64
51.140.62.120/32 2a01:111:f404:a801::/64
51.141.13.77/32 2a01:111:f406:2400::/64
51.141.28.50/32 2a01:111:f406:2401::/64
51.141.42.151/32 2a01:111:f406:402::/64
51.141.49.0/32 2a01:111:f406:403::/64
52.112.0.0/14
52.163.225.1/32
52.163.230.187/32
52.163.231.50/32
52.165.150.215/32
52.166.61.83/32
52.169.9.241/32
52.169.154.144/32
52.172.220.246/32
52.173.190.229/32
52.174.186.47/32
52.175.37.105/32
52.178.114.127/32
52.178.179.194/32
52.178.186.230/32
52.178.198.107/32
52.179.139.166/32
52.183.117.84/32
52.187.6.119/32
52.187.79.90/32
52.233.128.227/32
65.55.127.0/24
66.119.157.192/26
66.119.158.0/25
104.40.91.215/32
104.41.208.54/32
104.44.195.0/24
104.44.200.0/23
104.45.18.178/32
104.45.231.95/32
104.46.62.41/32
104.47.151.128/32
104.208.28.54/32
104.208.31.113/32
104.209.188.207/32
104.210.9.95/32
104.211.188.146/32
111.221.76.128/25
111.221.77.0/26
131.253.128.0/19
131.253.160.0/20
137.116.66.252/32
137.116.248.105/32
137.117.109.221/32
137.117.128.25/32
168.61.145.101/32
168.61.155.249/32
168.63.204.74/32
168.63.245.120/32
207.46.5.0/24
Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange
Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics
CRM IP | Dynamics CRM URI | Power BI
Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients |
Microsoft Intune | Microsoft PowerApps | Microsoft Flow
<Back to top>
*.teams.skype.com
2 Required: Client or Yes Microsoft Teams IP TCP
*.teams.microsoft.com
Microsoft Server / teams.microsoft.com ranges. 80 &
Teams. logged on 443
user
*.asm.skype.com
3 Required: Client or Yes Microsoft Teams IP TCP
*.cc.skype.com
Microsoft Server / *.conv.skype.com ranges. 443
Teams logged on *.dc.trouter.io
*.msg.skype.com
collaboration user
prod.registrar.skype.com
prod.tpc.skype.com
13.107.3.0/24
4 Required: Client or These IPs are used by media Yes TCP
13.107.8.0/24
Microsoft Server / without explicit FQDN mappings. 13.107.17.0/24 443
Teams logged on 13.107.64.0/24
13.107.65.0/24 UDP
media user
13.107.242.0/24 3478-
52.114.60.0/22
52.114.124.0/22
3481
52.114.188.0/22
52.114.220.0/22
104.44.195.0/24
104.44.200.0/24
104.44.201.0/24
*.config.skype.com
5 Required: Client or Yes Microsoft Teams IP TCP
*.pipe.skype.com
Microsoft Server / *.pipe.aria.microsoft.com ranges. 443
Teams logged on config.edge.skype.com
pipe.skype.com
shared user
s-0001.s-msedge.net
services s-0004.s-msedge.net
scsinstrument-ss-
us.trafficmanager.net
*.msedge.net
6 Required: Client or No N/A TCP
compass-ssl.microsoft.com
Microsoft Server / feedback.skype.com 443
Teams logged on
shared user
services
*.secure.skypeassets.com
7 Required: Client or No N/A TCP
mlccdnprod.azureedge.net
Microsoft Server / videoplayercdn.osi.office.net 443
Teams logged on
shared user
services
*.lync.com
8 Optional: Client or Yes Skype for Business IP TCP
*.infra.lync.com
Messaging Server / *.online.lync.com ranges. 443
interop with logged on *.resources.lync.com
*.skypeforbusiness.com
Skype for user
Business
*.azureedge.net
9 Optional: Client or No N/A TCP
*.sfbassets.com
Messaging Server / latest-swx.cdn.skype.com 443
interop with logged on skypemaprdsitus.trafficmanager.net
swx.cdn.skype.com
Skype for user
Business
(including
CDNs)
skypegraph.skype.com
10 Optional: Client or No SkypeGraph.skype.com TCP
Skype Graph Server / IP range information 443
logged on
user
*.giphy.com
11 Optional: Client or No N/A TCP
Microsoft Server / 443
Teams third- logged on
party user
integrations
Note: The domains and nodes that the wildcards such as *.teams.skype.com, *.teams.microsoft.com,
*.config.skype.com, *.secure.skypeassets.com, & *.pipe.skype.com represent are a list of application, functional,
and regional domains and nodes used for Microsoft Teams functionality. Some are dynamically assigned and
all of these sub-domains and nodes are subject to change at any time as the service improves.
Microsoft Teams IPv4 endpoints routable through Microsoft Teams IPv6 endpoints routable
13.64.106.229/32 2603:1027::/48
13.67.180.128/32 2603:1029:100::/48
13.70.89.162/32 2603:1037::/48
13.70.156.147/32 2603:1039:100::/48
13.70.159.107/32 2603:1047::/48
13.71.127.197/32 2603:1049:100::/48
13.73.109.13/32 2603:1057::/48
13.73.155.42/32 2620:1ec:6::/48
13.75.154.195/32 2620:1ec:40::/42
13.75.159.17/32 2a01:111:202f::/48
13.75.159.51/32
13.76.188.52/32
13.76.189.79/32
13.76.241.210/32
13.77.7.84/32
13.78.93.8/32
13.78.94.7/32
13.78.95.252/32
13.78.112.190/32
13.79.153.60/32
13.91.106.134/32
13.91.252.242/32
13.95.234.10/32
13.107.3.0/24
13.107.8.0/24
13.107.17.0/24
13.107.64.0/18
13.107.242.0/24
23.97.78.16/32
23.99.101.118/32
23.99.112.73/32
23.99.113.163/32
23.99.121.38/32
23.101.61.176/32
23.101.112.170/32
23.101.151.89/32
40.69.45.108/32
40.74.62.125/32
40.74.113.62/32
40.74.129.215/32
40.74.130.253/32
40.74.143.94/32
40.76.77.68/32
40.78.98.202/32
40.78.146.128/32
40.83.17.24/32
40.83.124.144/32
40.84.28.125/32
40.113.87.220/32
40.114.149.220/32
40.115.1.44/32
40.117.100.83/32
40.117.145.132/32
40.118.214.164/32
40.118.253.51/32
40.122.44.96/32
40.122.165.60/32
40.123.43.195/32
40.127.129.109/32
40.127.169.165/32
51.140.51.73/32
51.140.62.120/32
51.140.79.167/32
51.140.126.38/32
51.141.13.77/32
51.141.28.50/32
51.141.42.151/32
51.141.49.0/32
52.112.0.0/14
52.163.225.1/32 Was this information helpful? Yes No
×
Microsoft Teams IPv4 endpoints routable through Microsoft Teams IPv6 endpoints routable
the Internet and ExpressRoute through the Internet only
52.163.230.187/32
52.163.231.50/32
52.165.150.215/32
52.166.61.83/32
52.169.9.241/32
52.172.220.246/32
52.174.186.47/32
52.175.37.105/32
52.178.114.127/32
52.178.179.194/32
52.178.186.230/32
52.178.198.107/32
52.179.139.166/32
52.183.117.84/32
52.187.79.90/32
104.40.91.215/32
104.41.208.54/32
104.44.195.0/24
104.44.200.0/23
104.45.18.178/32
104.45.231.95/32
104.46.62.41/32
104.47.151.128/32
104.208.28.54/32
104.208.31.113/32
104.209.188.207/32
104.210.9.95/32
104.211.188.146/32
137.116.66.252/32
137.116.248.105/32
137.117.109.221/32
137.117.128.25/32
168.61.145.101/32
168.61.155.249/32
168.63.245.120/32
Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange
Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics
CRM IP | Dynamics CRM URI | Power BI
Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients |
Microsoft Intune | Microsoft PowerApps | Microsoft Flow
<Back to top>
*.sharepoint.com
3 Required: SharePoint client or server / yes SharePoint TCP
*.svc.ms
Online and logged on user <tenant>.sharepoint.com Online IP 80
associated <tenant>-my.sharepoint.com Ranges. &
<tenant>-files.sharepoint.com
applications. 443
<tenant>-myfiles.sharepoint.com
*.sharepointonline.com
4 Required: CDNs for client or server / no N/A TCP
cdn.sharepointonline.com
SharePoint Online logged on user static.sharepointonline.com 80
and associated spoprod-a.akamaihd.net &
publiccdn.sharepointonline.com
applications 443
privatecdn.sharepointonline.com
admin.onedrive.com
5 Required: OneDrive client or server / no N/A TCP
officeclient.microsoft.com
for Business admin & logged on user odc.officeapps.live.com 80
Sharing from the skydrive.wns.windows.com &
Sync client 443
oneclient.sfx.ms
6 Required: CDN client or server / no N/A TCP
endpoint for logged on user 80
OneDrive for &
Business update 443
verification and
download
*.log.optimizely.com
7 Optional: OneDrive client or server / no N/A TCP
click.email.microsoftonline.com
for Business: logged on user ssw.live.com 443
supportability, storage.live.com
telemetry, APIs, and
embedded email
links
*.search.production.us.trafficmanager.net
8 Optional: SharePoint The crawler on no N/A TCP
*.search.production.emea.trafficmanager.net
Hybrid Search - the on-prem SP *.search.production.apac.trafficmanager.net 443
Endpoint to authenticates to
SearchContentService SCS as the
where the hybrid tenant that
crawler feeds does the
documents
provisioningapi.microsoftonline.com
10 Optional: SharePoint Global admin or yes Authentication TCP
Hybrid Search - equivalent and Identity IP 443
Required for credentials on ranges
onboarding script to the tenant for
connect to Office 365 which Hybrid
Provisioning Web Search is being
Services. configured
Note: The domains and nodes that the wildcards such as *.sharepoint.com, *.sharepointonline.com, & *.svc.ms
represent are a list of application, functional, and regional domains and nodes used by SharePoint Online. All
of these sub-domains and nodes are subject to change at any time as the service improves.
Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange
Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics
CRM IP | Dynamics CRM URI | Power BI
Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients |
Microsoft Intune | Microsoft PowerApps | Microsoft Flow
<Back to top>
Yammer
Yammer is only available in the browser and requires the authenticated user to be passed through a proxy. All
Yammer FQDNs need to be in your client's IE Trusted Sites Zone to function.
1 Required: suite-wide see Office 365 required entries for shared services and
*.assets-yammer.com
3 Required: Yammer N/A
CDN
Note: The domains and nodes that the wildcards such as *.yammer.com, *.yammerusercontent.com, &
*.assets-yammer.com represent are a list of application, functional, and regional domains and nodes used by
Yammer. Some are dynamically assigned and all of these sub-domains and nodes are subject to change at
any time as the service improves.
Planner
Planner is only available in the browser and requires the authenticated user to be passed through a proxy. In
addition to the suite-wide FQDNs, CDNs, and telemetry listed above, you'll need to also add these endpoints.
1 Required: suite-wide see Office 365 required entries for shared services and
services authentication
tasks.office.com 13.107.6.160/32
2 Required: Planner
cus-000.tasks.osi.office.net 13.107.9.160/32
ea-000.tasks.osi.office.net 23.97.56.236/32
eus-zzz.tasks.osi.office.net 23.97.78.215/32
neu-000.tasks.osi.office.net 40.76.80.180/32
sea-000.tasks.osi.office.net 40.112.223.206/32
weu-000.tasks.osi.office.net 40.127.139.229/32
wus-000.tasks.osi.office.net 104.40.214.0/32
104.43.235.252/32
ajax.aspnetcdn.com
3 Required: Planner N/A
CDNs
Sway
Sway is only available in the browser and requires the authenticated user to be passed through a proxy. In
addition to the suite-wide FQDNs, CDNs, and telemetry listed above, you'll need to also add these endpoints.
1 Required: suite-wide services see Office 365 required entries for shared services and
authentication
sway.com
2 Required: Sway
www.sway.com
eus-www.sway-cdn.com
3 Required: Sway CDNs
wus-www.sway-cdn.com
eus-www.sway-extensions.com
wus-www.sway-extensions.com
www.google-analytics.com
4 Optional: Sway website analytics
5 Optional: Sway third party access to third party content such as Bing, Flickr, and so on
content
Note: Instead of a wildcard, we've listed every regional and functional FQDN for Sway to help convey what
the other regional, application, and functional wildcards represent for endpoints published in this article.
Office 365 Video and Microsoft Stream are only available in the browser and requires the authenticated user
to be passed through a proxy. CIDR formatted IP addresses are not available for either Office 365 Video or
Microsoft Stream.
1 Required: suite-wide services see Office 365 required entries for shared services
and authentication
ajax.aspnetcdn.com
4 Required: Office 365 Video CDNs
r3.res.outlook.com
spoprod-a.akamaihd.net
*.api.microsoftstream.com
5 Required: Microsoft Stream. (needs the AAD
*.cloudapp.net
user token) *.notification.api.microsoftstream.com
amp.azure.net
api.microsoftstream.com
az416426.vo.msecnd.net
s0.assets-yammer.com
vortex.data.microsoft.com
web.microsoftstream.com
*.streaming.mediaservices.windows.net
7 Required: Microsoft Stream -
unauthenticated (content is encrypted)
amsglob0cdnstream11.azureedge.net
8 Required: Microsoft Stream CDN
cdn.optimizely.com
9 Optional: Microsoft Stream 3rd party
nps.onyx.azure.net
integration (including CDNs)
Office 2016 for Mac, Office 365 ProPlus, and mobile clients
1 Office 2016 for To understand Office 2016 for Mac endpoint requirements, refer to our
Mac reference article Network requests in Office 2016 for Mac.
2 Office 365 To understand Office client network requests including, Office 365 ProPlus,
ProPlus and Office 2016 for Windows, Outlook App for iOS and Windows, and OneNote refer
Mobile clients to the article Network requests in Office and Mobile clients.
How are changes to this page made and how can I be notified?
Office 365 endpoints are published at the end of each month with 30 days notice. Occasionally emergency
changes will occur outside of the end of month publishing or with shorter notice periods. When an endpoint
is added, the effective date listed in the RSS feed
The endpoints listed as a Yes in the ExpressRoute for Office 365 column are available both over the internet
and over ExpressRoute with Microsoft peering configured. Some services that Office 365 leverages are also
available with Public peering configured and those are noted here; however, Public peering is not required to
use ExpressRoute with Office 365 for the Office 365 applications supported over ExpressRoute.
There's a lot of information on this page, can we present it to you in a simpler way?
Please consider voicing your thoughts at the bottom of this page, under the heading Was this information
helpful? Click yes or no and enter detailed feedback. The more feedback we get from you the easier it will be
for us to improve the page.
Internet & ER accessible: shared services | authentication | Office Online | Exchange Online | Exchange
Online Protection | Skype for Business Online | Microsoft Teams | SharePoint Online and OneDrive | Dynamics
CRM IP | Dynamics CRM URI | Power BI
Internet accessible: Office 365 Video and Microsoft Stream | Yammer | Sway | Planner | Office Clients |
Microsoft Intune | Microsoft PowerApps | Microsoft Flow
<Back to top>
Related Topics
Network connectivity to Office 365
Managing Office 365 endpoints
Troubleshooting Office 365 connectivity
Client connectivity
Content delivery networks
Microsoft Azure Datacenter IP Ranges
Microsoft Public IP Space
CONTACT US
New Surface Pro Download Center Office for students Enterprise Windows Dev Center About Microsoft
Xbox One X Sales & support Office 365 for schools Data platform Developer Network Company news
Xbox One S Extended holiday returns Deals for students & Find a solutions provider TechNet Privacy at Microsoft
educators
VR & mixed reality Order tracking Microsoft partner resources Microsoft Virtual Academy Investors
Microsoft Azure in
Windows 10 apps Store locations education Microsoft AppSource Microsoft developer Diversity and inclusion
program
Office apps Support Manufacturing & resources Accessibility
Channel 9
12 Days of Deals Buy online, pick up in store Financial services Security
Office Dev Center
English (United States) Contact Us Privacy & Cookies Terms of use & sale Trademarks Office accessibility Legal © Microsoft 2017