Topic Last Modified: 2014-11-10
Summary: Lists the URLs and IP address ranges used by Office 365 and provides links to RSS feeds that help you stay up-to-date on the latest changes.
Subscribe via RSS to receive notice when URLs and IP addresses are changed.
If your organization restricts computers on your network from connecting to the Internet, this article lists the URLs you should include in your outbound allow list to ensure your computers can successfully use Office 365 URL allow lists are the recommended approach due to the modern web architecture of Office 365. For guidance on how to best implement URL or IP allow lists, please work with the manufacturer of the hardware or software you use to protect your internet connection.
While IP allow lists will work, there are a number of downsides to this approach, including:
Web clients such as the Office 365 admin portal or Outlook Web App won’t be able to authenticate.
Future non-web based clients may not be able to authenticate.
Additional Office 365 infrastructure won’t become instantly available to client computers.
Updates will be required as frequently as weekly.
Microsoft uses its own Content Delivery Networks (CDNs) and 3rd party CDNs such as Akamai and others depending on the region and service in question. Manually adding these IP addresses to your allow list isn’t feasible. If you would like to understand more about CDNs and regional datacenters, please see our further explanation of Content Delivery Networks and client connectivity.
If you’re using Active Directory Federation Services (AD FS) with your deployment, you can also use AD FS client access policies to further restrict and control access to Office 365.
Don’t forget to allow client computers to access the Certificate Revocation Lists (CRLs) over TCP 80 from both Microsoft crl.microsoft.com, and third parties such as *.verisign.com, *.symcb.com, *.symcd.com, *.verisign.net, *.geotrust.com, and *.public-trust.com.
How should I use this page?
When you’re planning your outbound allow lists, you want to ensure the computers on your network can connect to the URLs or IP addresses listed for each service you’ve licensed. You’ll want to open the heading for each service and add them to both the outbound allow list rules and to the Internet Explorer Trusted Sites Zone of client computers.
For example, if you have licensed the entire Office 365 suite, you will need to select the URLs listed in each of the headings such as Office 365, Exchange Online, Office 365 ProPlus, and so on, then enter them all into both the outbound allow list rules and to the Internet Explorer Trusted Sites Zone of client computers.
Most connections use TCP 443 or initially connect over TCP 80 and are redirected. There are also some connections that use different ports and protocols depending on the services licensed and how those services are used.
|You won’t want to miss changes to our URLs and IP addresses. Updates are made to this page as soon as we can; however, we currently can’t guarantee that changes will be announced ahead of time. We recommend you subscribe to the RSS feed to receive notifications of changes. You can subscribe via Outlook or have the RSS feed updates emailed to you. An ongoing record of changes is maintained in our change log.|
Some of our services do overlap with one another and you will notice the overlap or duplication in the lists of URLs and IP addresses. There is also some domain name overlapping with our consumer services; while the root domain name is the same, Office 365 operates from a separate sub-domain.
If you’re going to add IP addresses to your allow lists, keep in mind that IPv6 is optional and not required. We provide it here for customers who wish to use IPv6.
Office 365 portal and identity
To use any of the Office 365 services, you must be able to reach these URLs. If you have licensed additional services or the full suite, you will also need to ensure client computers can connect to these URLs plus the URLs for each of the services licensed below.
^ Content Delivery Network
^^ Azure Rights Management
^^^ Windows Azure Active Directory
If you have licensed Exchange Online as a standalone or as part of a suite, you must be able to reach the Office 365 portal and identity URLs as well as the Exchange Online URLs or IP addresses.
The Microsoft Federation Gateway is used with Exchange Online with federated delegation and mixed hybrid deployments. Learn more about federation with Exchange Online. The Microsoft Federation Gateway does not have additional URLs beyond those included under the Exchange Online and the portal and identity sections.
^ Content Delivery Network
If you have licensed Lync Online as a standalone or as part of a suite, you must be able to reach the Office 365 portal and identity URLs as well as the Lync Online URLs or IP addresses.
|Lync Online URLs||Lync Online IPv4 Addresses|
If you have licensed SharePoint Online as a standalone or as part of a suite, you must be able to reach the Office 365 portal and identity URLs as well as the SharePoint Online URLs or IP addresses.
Exchange Online Protection (EOP)
If you have licensed Exchange Online Protection (EOP) as a standalone or as part of a suite, you must be able to reach the Office 365 portal and identity URLs as well as the EOP IP addresses. EOP does not have additional URLs beyond those included in the portal and identity section.
|Exchange Online Protection|
Office 365 remote analyzer tools
This list of IPv4 IP addresses is the current list required for the Office 365 remote analyzer tools. EOP does not have additional URLs beyond those included in the portal and identity section.
|Office 365 remote analyzer tools IP Addresses|
This list of URLs and IPv4 IP addresses is the current list required for Yammer.
|Yammer URLs||Yammer IPv4 Addresses|
^These URLs are for third party services used by Yammer to provide the ability of viewing documents, videos and images uploaded by your users into Yammer. These URLs are not required to be on the allow list if your organization is administratively disabling the ability of uploading files into Yammer
Office 365 ProPlus
This list of URLs and IPv4 IP addresses is the current list required for Office 365 ProPlus. You’ll note that these URLs include the full URI path and secure vs. unsecure connection requirements. The Office 365 ProPlus URLs are more explicit due to the fact that they change less frequently and have less moving parts.
This list of IP addresses is the current list required for Office Online. Office Online does not have additional URLs beyond those included in the portal and identity section.
|Office Online IPv4 Addresses||Office Online IPv6 Addresses|
Office for iPad
This is the current list of Office for iPad URLs. If you’re using allow lists to filter iPad connectivity differently than other computers on your network, you can use just this list of URLs to create those allow lists.
This is the current list of Office Mobile URLs. Office Mobile runs on Android devices, Windows Phones, and iPhones. If you’re filtering your mobile connectivity differently than other computers on your network, you can use just this list of URLs to create those allow lists.