Announcing: Office 365 endpoint categories and Office 365 IP Address and URL web service

[Originally published for the preview on 4/2/2018 and updated on 7/6/2018. Updated for GA on 9/5/2018]

Announcing: The IP Address and URL web services are generally available from 5th September, 2018.

Microsoft recently published a set of connectivity principles for Office 365 which provides concise guidance on the recommended ways of achieving optimal performance and connectivity to Office 365. The first of these principles is to Identify and differentiate Office 365 network traffic using Microsoft published endpoints. Endpoints include IP Addresses and URLs that are used to connect to Office 365.

The primary benefits of using these web services are that they share the endpoint categories which significantly simplify network perimeter configuration, they are fully automated including automated validation testing them, they can be loaded directly into network devices, and they help automate change management to avoid change related outages. The endpoint categories identify a vital few key network endpoints in the Optimize and Allow categories for Office 365 for which we recommend direct Internet egress.

We use web services because they are easier for customers scripts and network devices to call than web pages. Specific scenarios where you might need this data include:

1. Updating your perimeter firewall to allow Office 365 network connectivity.
2. Updating your enterprise proxy server to allow connectivity to Office 365 URLs.
3. Edit PAC files on your users computers to bypass proxy servers.
4. Bypassing an SSL decrypting network device for Office 365 network traffic.
5. Bypassing a CASB service for Office 365 network traffic.
6. Selecting endpoints for bypassing proxy servers and routing for direct internet access at a branch office user location.

These web services directly offer Office 365 IP Address and URL data in JSON, and CSV format for all five Office 365 service instances including Office 365 worldwide commercial, Office 365 operated by 21 Vianet, Office 365 Germany, Office 365 U.S. Government DoD, and Office 365 U.S. Government GCC High. We also generate HTML pages from the data and RSS feeds are available from the web services to help with change notification.

Here’s a few quick links to the web services you can access right in a web browser. These links are provided for the worldwide Office 365 commercial instance as examples only.

• Get the latest version number for the Office 365 worldwide service instance
  https://endpoints.office.com/version/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7
• Get the current endpoints for the Office 365 worldwide service instance excluding IPv6 IP Addresses
  https://endpoints.office.com/endpoints/worldwide?noipv6&ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7
• Changes to the Office 365 worldwide service instance since 20180828
  https://endpoints.office.com/changes/worldwide/2018072800?ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7
• The RSS feed for changes to the Office 365 worldwide service instance
  https://endpoints.office.com/version/worldwide?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7

The current XML file and the old RSS feed will be available until October 2nd, 2018. If you have automation that uses the XML format, you should update that to use the JSON format data. If you are using the old RSS feed you should either move to the new RSS feed, or use the sample Microsoft Flow we have published for getting emails on changes. Developer usage documentation for the IP Address and URL web services are detailed in Managing Office 365 Endpoints – Web Service.

The web services include three categories for Office 365 network endpoints as attributes of this data which can be used to simplify management of perimeter network devices:

• Optimize for a small number of endpoints that require low latency unimpeded connectivity which should bypass proxy servers, network SSL break and inspect devices, and network hairpins. Direct Internet access, such as with SDWAN, is recommended for these endpoints.
• Allow for a larger number of endpoints that benefit from low latency unimpeded connectivity but do not require it. It is required to bypass SSL break and inspect on these endpoints and to avoid proxy authentication. Although not expected to cause failures, we also recommend bypassing proxy servers entirely, network hairpins, and other network intermediary devices on these endpoints. Good connectivity to these endpoints is required for Office 365 to operate normally.
• Default for other Office 365 endpoints which can be directed to the default internet egress location for the company WAN.

Use of these categories, how they simplify connectivity to Office 365, and what actions you can take to make use of them is detailed in Office 365 Network Connectivity Principles.

The web services and data contained in it are supported by Microsoft. However, you do not need to connect to these web services in order to use Office 365. Keep a local copy of the data and just call them again to check for changes. If you are ever unable to connect to the web services, just use the data you have previously downloaded. When a change is notified, you should have 30 days to make updates.

Documentation links:

• Managing Office 365 endpoints – Web Service (including usage documentation for the IP/URL web service) 
• Office 365 Network Connectivity Principles (including Office 365 endpoint categories)
• Using Microsoft Flow to get an email for endpoint changes
• Migrating to the new web services based publishing for Office 365 IP Addresses and URLs
• Office 365 Tech Community Office 365 Networking Space for questions about use of the web services