Office 365 URLs and IP address ranges

Office 365 URLs and IP address rangesArticle05/30/2023

Office 365 requires connectivity to the Internet. The endpoints below should be reachable for customers using Office 365 plans, including Government Community Cloud (GCC).

Office 365 Worldwide (+GCC) | Office 365 operated by 21 Vianet | Office 365 U.S. Government DoD | Office 365 U.S. Government GCC High |

NotesDownloadUseLast updated: 05/30/2023 -Change Log subscriptionDownload: all required and optional destinations in one JSON formatted list.Use: our proxy PAC files

Start with Managing Office 365 endpoints to understand our recommendations for managing network connectivity using this data. Endpoints data is updated as needed at the beginning of each month with new IP Addresses and URLs published 30 days in advance of being active. This cadence allows for customers who don't yet have automated updates to complete their processes before new connectivity is required. Endpoints may also be updated during the month if needed to address support escalations, security incidents, or other immediate operational requirements. The data shown on this page below is all generated from the REST-based web services. If you're using a script or a network device to access this data, you should go to the Web service directly.

Endpoint data below lists requirements for connectivity from a user's machine to Office 365. For detail on IP addresses used for network connections from Microsoft into a customer network, sometimes called hybrid or inbound network connections, see Additional endpoints for more information.

The endpoints are grouped into four service areas representing the three primary workloads and a set of common resources. The groups may be used to associate traffic flows with a particular application, however given that features often consume endpoints across multiple workloads, these groups can't effectively be used to restrict access.

Data columns shown are:

ID: The ID number of the row, also known as an endpoint set. This ID is the same as is returned by the web service for the endpoint set.

Category: Shows whether the endpoint set is categorized as Optimize, Allow, or Default. This column also lists which endpoint sets are required to have network connectivity. For endpoint sets that aren't required to have network connectivity, we provide notes in this field to indicate what functionality would be missing if the endpoint set is blocked. If you're excluding an entire service area, the endpoint sets listed as required don't require connectivity.

You can read about these categories and guidance for their management in New Office 365 endpoint categories.

ER: This is Yes if the endpoint set is supported over Azure ExpressRoute with Office 365 route prefixes. The BGP community that includes the route prefixes shown aligns with the service area listed. When ER is No, this means that ExpressRoute is not supported for this endpoint set.

Some routes may be advertised in more than one BGP community, making it possible for endpoints within a given IP range to traverse the ER circuit, but still be unsupported. In all cases, the value of a given endpoint set's ER column should be respected.

Addresses: Lists the FQDNs or wildcard domain names and IP address ranges for the endpoint set. Note that an IP address range is in CIDR format and may include many individual IP addresses in the specified network.

Ports: Lists the TCP or UDP ports that are combined with listed IP addresses to form the network endpoint. You may notice some duplication in IP address ranges where there are different ports listed.

Note

Microsoft has begun a long-term transition to providing services from the cloud.microsoft namespace to simplify the endpoints managed by our customers. If you are following existing guidance for allowing access to required endpoints as listed below, there’s no further action required from you.

Exchange OnlineIDCategoryERAddressesPorts1OptimizeRequiredYesoutlook.office.com, outlook.office365.com13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128TCP: 443, 80UDP: 4432AllowOptionalNotes: POP3, IMAP4, SMTP Client trafficYes*.outlook.office.com, outlook.office365.com, smtp.office365.com13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128TCP: 587, 993, 995, 1438DefaultRequiredNo*.outlook.com, autodiscover..onmicrosoft.comTCP: 443, 809AllowRequiredYes*.protection.outlook.com40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 52.238.78.88/32, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48TCP: 44310AllowRequiredYes*.mail.protection.outlook.com40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48TCP: 25SharePoint Online and OneDrive for BusinessIDCategoryERAddressesPorts31OptimizeRequiredYes*.sharepoint.com13.107.136.0/22, 40.108.128.0/17, 52.104.0.0/14, 104.146.128.0/17, 150.171.40.0/22, 2603:1061:1300::/40, 2620:1ec:8f8::/46, 2620:1ec:908::/46, 2a01:111:f402::/48TCP: 443, 8032DefaultOptionalNotes: OneDrive for Business: supportability, telemetry, APIs, and embedded email linksNossw.live.com, storage.live.comTCP: 44333DefaultOptionalNotes: SharePoint Hybrid Search - Endpoint to SearchContentService where the hybrid crawler feeds documentsNo*.search.production.apac.trafficmanager.net, *.search.production.emea.trafficmanager.net, *.search.production.us.trafficmanager.netTCP: 44335DefaultRequiredNo*.wns.windows.com, admin.onedrive.com, officeclient.microsoft.comTCP: 443, 8036DefaultRequiredNog.live.com, oneclient.sfx.msTCP: 443, 8037DefaultRequiredNo*.sharepointonline.com, spoprod-a.akamaihd.netTCP: 443, 8039DefaultRequiredNo*.svc.msTCP: 443, 80Skype for Business Online and Microsoft TeamsIDCategoryERAddressesPorts11OptimizeRequiredYes13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15, 2603:1063::/39UDP: 3478, 3479, 3480, 348112AllowRequiredYes*.lync.com, *.teams.microsoft.com, teams.microsoft.com13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2603:1063::/39, 2620:1ec:6::/48, 2620:1ec:40::/42TCP: 443, 8013AllowRequiredYes*.broadcast.skype.com, broadcast.skype.com13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2603:1063::/39, 2620:1ec:6::/48, 2620:1ec:40::/42TCP: 44315DefaultRequiredNo*.sfbassets.comTCP: 443, 8016DefaultRequiredNo*.keydelivery.mediaservices.windows.net, *.streaming.mediaservices.windows.net, mlccdn.blob.core.windows.netTCP: 44317DefaultRequiredNoaka.msTCP: 44318DefaultOptionalNotes: Federation with Skype and public IM connectivity: Contact picture retrievalNo*.users.storage.live.comTCP: 44319DefaultOptionalNotes: Applies only to those who deploy the Conference Room SystemsNo*.adl.windows.comTCP: 443, 8022AllowOptionalNotes: Teams: Messaging interop with Skype for BusinessYes*.skypeforbusiness.com13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2603:1063::/39, 2620:1ec:6::/48, 2620:1ec:40::/42TCP: 44327DefaultRequiredNo*.mstea.ms, *.secure.skypeassets.com, mlccdnprod.azureedge.netTCP: 443127DefaultRequiredNo*.skype.comTCP: 443, 80167DefaultRequiredNo*.ecdn.microsoft.comTCP: 443180DefaultRequiredNocompass-ssl.microsoft.comTCP: 443

Note

For Cross-Cloud Anonymous Join to work properly, you must add these endpoints for the cloud of the target meeting to the safe senders list:

Office 365 URLs and IP address rangesOffice 365 U.S. Government DoD endpointsMicrosoft 365 Common and Office OnlineIDCategoryERAddressesPorts41DefaultOptionalNotes: Microsoft StreamNo*.microsoftstream.comTCP: 44343DefaultOptionalNotes: Microsoft Stream 3rd party integration (including CDNs)Nonps.onyx.azure.netTCP: 44344DefaultOptionalNotes: Microsoft Stream - unauthenticatedNo*.azureedge.net, *.media.azure.net, *.streaming.mediaservices.windows.netTCP: 44345DefaultOptionalNotes: Microsoft StreamNo*.keydelivery.mediaservices.windows.netTCP: 44346AllowRequiredYes*.officeapps.live.com, *.online.office.com, office.live.com13.107.6.171/32, 13.107.18.15/32, 13.107.140.6/32, 52.108.0.0/14, 52.244.37.168/32, 2603:1063:2000::/38, 2620:1ec:c::15/128, 2620:1ec:8fc::6/128, 2620:1ec:a92::171/128, 2a01:111:f100:2000::a83e:3019/128, 2a01:111:f100:2002::8975:2d79/128, 2a01:111:f100:2002::8975:2da8/128, 2a01:111:f100:7000::6fdd:6cd5/128, 2a01:111:f100:a004::bfeb:88cf/128TCP: 443, 8047DefaultRequiredNo*.office.netTCP: 443, 8049DefaultRequiredNo*.onenote.comTCP: 44350DefaultOptionalNotes: OneNote notebooks (wildcards)No*.microsoft.comTCP: 44351DefaultRequiredNo*cdn.onenote.netTCP: 44353DefaultRequiredNoajax.aspnetcdn.com, apis.live.net, officeapps.live.com, www.onedrive.comTCP: 44356AllowRequiredYes*.auth.microsoft.com, *.msftidentity.com, *.msidentity.com, account.activedirectory.windowsazure.com, accounts.accesscontrol.windows.net, adminwebservice.microsoftonline.com, api.passwordreset.microsoftonline.com, autologon.microsoftazuread-sso.com, becws.microsoftonline.com, ccs.login.microsoftonline.com, clientconfig.microsoftonline-p.net, companymanager.microsoftonline.com, device.login.microsoftonline.com, graph.microsoft.com, graph.windows.net, login.microsoft.com, login.microsoftonline.com, login.microsoftonline-p.com, login.windows.net, logincert.microsoftonline.com, loginex.microsoftonline.com, login-us.microsoftonline.com, nexus.microsoftonline-p.com, passwordreset.microsoftonline.com, provisioningapi.microsoftonline.com20.20.32.0/19, 20.190.128.0/18, 20.231.128.0/19, 40.126.0.0/18, 2603:1006:2000::/48, 2603:1007:200::/48, 2603:1016:1400::/48, 2603:1017::/48, 2603:1026:3000::/48, 2603:1027:1::/48, 2603:1036:3000::/48, 2603:1037:1::/48, 2603:1046:2000::/48, 2603:1047:1::/48, 2603:1056:2000::/48, 2603:1057:2::/48TCP: 443, 8059DefaultRequiredNo*.hip.live.com, *.microsoftonline.com, *.microsoftonline-p.com, *.msauth.net, *.msauthimages.net, *.msecnd.net, *.msftauth.net, *.msftauthimages.net, *.phonefactor.net, enterpriseregistration.windows.net, policykeyservice.dc.ad.msft.netTCP: 443, 8064AllowRequiredYes*.compliance.microsoft.com, *.protection.office.com, *.security.microsoft.com, compliance.microsoft.com, defender.microsoft.com, protection.office.com, security.microsoft.com13.107.6.192/32, 13.107.9.192/32, 52.108.0.0/14, 2620:1ec:4::192/128, 2620:1ec:a92::192/128TCP: 44366DefaultRequiredNo*.portal.cloudappsecurity.comTCP: 44367DefaultOptionalNotes: Security and Compliance Center eDiscovery exportNo*.blob.core.windows.netTCP: 44368DefaultOptionalNotes: Portal and shared: 3rd party office integration. (including CDNs)Nofirstpartyapps.oaspapps.com, prod.firstpartyapps.oaspapps.com.akadns.net, telemetryservice.firstpartyapps.oaspapps.com, wus-firstpartyapps.oaspapps.comTCP: 44369DefaultRequiredNo*.aria.microsoft.com, *.events.data.microsoft.comTCP: 44370DefaultRequiredNo*.o365weve.com, amp.azure.net, appsforoffice.microsoft.com, assets.onestore.ms, auth.gfx.ms, c1.microsoft.com, dgps.support.microsoft.com, docs.microsoft.com, msdn.microsoft.com, platform.linkedin.com, prod.msocdn.com, shellprod.msocdn.com, support.microsoft.com, technet.microsoft.comTCP: 44371DefaultRequiredNo*.office365.comTCP: 443, 8072DefaultOptionalNotes: Azure Rights Management (RMS) with Office 2010 clientsNo*.cloudapp.netTCP: 44373DefaultRequiredNo*.aadrm.com, *.azurerms.com, *.informationprotection.azure.com, ecn.dev.virtualearth.net, informationprotection.hosting.portal.azure.netTCP: 44375DefaultOptionalNotes: Graph.windows.net, Office 365 Management Pack for Operations Manager, SecureScore, Azure AD Device Registration, Forms, StaffHub, Application Insights, captcha servicesNo*.sharepointonline.com, dc.services.visualstudio.com, mem.gfx.ms, staffhub.msTCP: 44378DefaultOptionalNotes: Some Office 365 features require endpoints within these domains (including CDNs). Many specific FQDNs within these wildcards have been published recently as we work to either remove or better explain our guidance relating to these wildcards.No*.microsoft.com, *.msocdn.com, *.onmicrosoft.comTCP: 443, 8079DefaultRequiredNoo15.officeredir.microsoft.com, officepreviewredir.microsoft.com, officeredir.microsoft.com, r.office.microsoft.comTCP: 443, 8083DefaultRequiredNoactivation.sls.microsoft.comTCP: 44384DefaultRequiredNocrl.microsoft.comTCP: 443, 8086DefaultRequiredNooffice15client.microsoft.com, officeclient.microsoft.comTCP: 44389DefaultRequiredNogo.microsoft.comTCP: 443, 8091DefaultRequiredNoajax.aspnetcdn.com, cdn.odc.officeapps.live.comTCP: 443, 8092DefaultRequiredNoofficecdn.microsoft.com, officecdn.microsoft.com.edgesuite.netTCP: 443, 8093DefaultOptionalNotes: ProPlus: auxiliary URLsNo*.virtualearth.net, c.bing.net, excelbingmap.firstpartyapps.oaspapps.com, ocos-office365-s2s.msedge.net, peoplegraph.firstpartyapps.oaspapps.com, tse1.mm.bing.net, wikipedia.firstpartyapps.oaspapps.com, www.bing.comTCP: 443, 8095DefaultOptionalNotes: Outlook for Android and iOSNo*.acompli.net, *.outlookmobile.comTCP: 44396DefaultOptionalNotes: Outlook for Android and iOS: AuthenticationNologin.windows-ppe.netTCP: 44397DefaultOptionalNotes: Outlook for Android and iOS: Consumer Outlook.com and OneDrive integrationNoaccount.live.com, login.live.comTCP: 443105DefaultOptionalNotes: Outlook for Android and iOS: Outlook PrivacyNowww.acompli.comTCP: 443114DefaultOptionalNotes: Office Mobile URLsNo*.appex.bing.com, *.appex-rf.msn.com, c.bing.com, c.live.com, d.docs.live.net, directory.services.live.com, docs.live.net, partnerservices.getmicrosoftkey.com, signup.live.comTCP: 443, 80116DefaultOptionalNotes: Office for iPad URLsNoaccount.live.com, auth.gfx.ms, login.live.comTCP: 443, 80117DefaultOptionalNotes: YammerNo*.yammer.com, *.yammerusercontent.comTCP: 443118DefaultOptionalNotes: Yammer CDNNo*.assets-yammer.comTCP: 443121DefaultOptionalNotes: Planner: auxiliary URLsNowww.outlook.comTCP: 443, 80122DefaultOptionalNotes: Sway CDNsNoeus-www.sway-cdn.com, eus-www.sway-extensions.com, wus-www.sway-cdn.com, wus-www.sway-extensions.comTCP: 443124DefaultOptionalNotes: SwayNosway.com, www.sway.comTCP: 443125DefaultRequiredNo*.entrust.net, *.geotrust.com, *.omniroot.com, *.public-trust.com, *.symcb.com, *.symcd.com, *.verisign.com, *.verisign.net, apps.identrust.com, cacerts.digicert.com, cert.int-x3.letsencrypt.org, crl.globalsign.com, crl.globalsign.net, crl.identrust.com, crl3.digicert.com, crl4.digicert.com, isrg.trustid.ocsp.identrust.com, mscrl.microsoft.com, ocsp.digicert.com, ocsp.globalsign.com, ocsp.msocsp.com, ocsp2.globalsign.com, ocspx.digicert.com, secure.globalsign.com, www.digicert.com, www.microsoft.comTCP: 443, 80126DefaultOptionalNotes: Connection to the speech service is required for Office Dictation features. If connectivity is not allowed, Dictation will be disabled.Noofficespeech.platform.bing.comTCP: 443147DefaultRequiredNo*.office.com, www.microsoft365.comTCP: 443, 80152DefaultOptionalNotes: These endpoints enable the Office Scripts functionality in Office clients available through the Automate tab. This feature can also be disabled through the Office 365 Admin portal.No*.microsoftusercontent.comTCP: 443153DefaultRequiredNo*.azure-apim.net, *.flow.microsoft.com, *.powerapps.com, *.powerautomate.comTCP: 443156DefaultRequiredNo*.activity.windows.com, activity.windows.comTCP: 443157DefaultRequiredNoocsp.int-x3.letsencrypt.orgTCP: 80158DefaultRequiredNo*.cortana.aiTCP: 443159DefaultRequiredNoadmin.microsoft.comTCP: 443, 80160DefaultRequiredNocdn.odc.officeapps.live.com, cdn.uci.officeapps.live.comTCP: 443, 80184DefaultRequiredNo*.cloud.microsoftTCP: 443, 80

Note

For recommendations on Yammer IP addresses and URLs, see Using hard-coded IP addresses for Yammer is not recommended on the Yammer blog.