Windows Office Hours: May 2026 - Microsoft Tech Community

Event details

Get answers to your questions about adopting Windows 11 and managing Windows devices across your organization. Find out how to proactively implement and monitor Zero Trust practices. Get tips on keep...

Heather_Poulsen

Updated Dec 18, 2025

Windows-Office-Hours-May-21-2026.ics44 KB

Office Hours

AMPearce-II

Copper Contributor

May 21, 2026

I want to rollout Passwordless login and Web Sign-In to users, but we have an Always-On VPN product (Palo Alto GlobalProtect) configured to prevent Network access before connection.

I'd like to configure URL whitelist to allow the Web Sign-in traffic, but I can't find those listed on the documentation https://learn.microsoft.com/en-us/windows/security/identity-protection/web-sign-in/?tabs=intune and Support weren't able to provide this either. Is there a list of Network Requirements for Web Sign-in published anywhere else?

Joe_Lurie
Microsoft
May 21, 2026
AMPearce-II

Web Sign-in uses the same Entra ID browser-based authentication endpoints, so at minimum you'll want to allow outbound HTTPS (443) to:

login.microsoftonline.com

login.microsoft.com

*.msauth.net

*.msftauth.net

device.login.microsoftonline.com

autologon.microsoftazuread-sso.com

You may also need msftconnecttest.com for connectivity detection and ocsp.msocsp.com / crl.microsoft.com for certificate validation. For your GlobalProtect setup, these would go in your pre-logon split-tunnel exclusion list. The docs page you referenced is here: https://learn.microsoft.com/en-us/windows/security/identity-protection/web-sign-in. Please use the feedback button on that page to request the endpoint list be added. That feedback goes directly to the content team.