SOLVED
Home

Self Service Password Reset - Urls and IP address ranges

%3CLINGO-SUB%20id%3D%22lingo-sub-443239%22%20slang%3D%22en-US%22%3ESelf%20Service%20Password%20Reset%20-%20Urls%20and%20IP%20address%20ranges%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-443239%22%20slang%3D%22en-US%22%3E%3CP%3EMinimum%20set%20of%26nbsp%3BUrls%20and%20IP%20address%20ranges%20to%20allow%20SSPR%3A%3C%2FP%3E%3CP%3EWe%20have%20a%20secure%20environment%20where%20users%20access%20Office%20365%20using%20a%20VDI%20solution%20hosted%20in%20Azure.%20Cloud%20only%20identities%20are%20used%20and%20AD%20DS%20is%20implemented%20for%20logging%20on%20to%20VDI%20(Windows%202016%20RDS%20sessions)%3C%2FP%3E%3CP%3Eweb%20filtering%20prevents%20the%20users%20from%20accessing%20Office%20365%20and%20associated%20services%20directly%20from%20their%20corporate%20devices.%3C%2FP%3E%3CP%3EThis%20creates%20a%20situation%20when%20users%20are%20unable%20to%20access%20SSPR%20to%20reset%20their%20own%20passwords%20from%20their%20devices%2C%20and%20without%20valid%20creds%20they%20cannot%20log%20on%20to%20VDI%20to%20perform%20the%20reset%20from%20there%2C%20where%20access%20is%20allowed.%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20want%20to%20configure%20web%20filtering%20to%20allow%20access%20SSPR%20from%20the%20corporate%20network%2C%20without%20allowing%20access%20to%20any%20other%20services%20e.g.%20office.com%3C%2FP%3E%3CP%3EI%20could%20use%20network%20trace%20in%20Fiddler%20to%20work%20out%20the%20URLs%20but%20hoping%20for%20something%20more%20supportable.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-443239%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-497653%22%20slang%3D%22en-US%22%3ERe%3A%20Self%20Service%20Password%20Reset%20-%20Urls%20and%20IP%20address%20ranges%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-497653%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F100245%22%20target%3D%22_blank%22%3E%40Chris%20Johnston%3C%2FA%3E%20SSPR%20network%20connectivity%20below%20are%20the%20two%20link%20which%20you%20need%20to%20whitelist.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20inherit%3B%20margin-top%3A%201rem%3B%20margin-bottom%3A%200px%3B%20color%3A%20%23000000%3B%20font-family%3A%20'Segoe%20UI'%2C%20SegoeUI%2C%20'Segoe%20WP'%2C%20'Helvetica%20Neue'%2C%20Helvetica%2C%20Tahoma%2C%20Arial%2C%20sans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20start%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20white-space%3A%20normal%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20background-color%3A%20%23ffffff%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%22%3EThe%20most%20common%20point%20of%20failure%20is%20that%20firewall%20and%20or%20proxy%20ports%20and%20idle%20timeouts%20are%20incorrectly%20configured%2C%20you%20need%20outbound%20HTTPS%20access%20to%20the%20following%3A%3C%2FP%3E%0A%3CUL%20style%3D%22margin%3A%2016px%200px%2016px%2038px%3B%20padding%3A%200px%3B%20box-sizing%3A%20inherit%3B%20color%3A%20%23000000%3B%20font-family%3A%20'Segoe%20UI'%2C%20SegoeUI%2C%20'Segoe%20WP'%2C%20'Helvetica%20Neue'%2C%20Helvetica%2C%20Tahoma%2C%20Arial%2C%20sans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20start%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20white-space%3A%20normal%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20background-color%3A%20%23ffffff%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%22%3E%0A%3CLI%20style%3D%22outline%3A%200px%3B%20box-sizing%3A%20inherit%3B%20list-style%3A%20disc%20outside%20none%3B%22%3E*.passwordreset.microsoftonline.com%3C%2FLI%3E%0A%3CLI%20style%3D%22outline%3A%200px%3B%20box-sizing%3A%20inherit%3B%20list-style%3A%20disc%20outside%20none%3B%22%3E*.servicebus.windows.net%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-499150%22%20slang%3D%22en-US%22%3ERe%3A%20Self%20Service%20Password%20Reset%20-%20Urls%20and%20IP%20address%20ranges%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-499150%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193453%22%20target%3D%22_blank%22%3E%40Nandan%20Tripathi%3C%2FA%3E%26nbsp%3Bthanks%20for%20providing%20the%20information.%20I'll%20configure%20the%20white%20listing%20accordingly.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Chris Johnston
Occasional Contributor

Minimum set of Urls and IP address ranges to allow SSPR:

We have a secure environment where users access Office 365 using a VDI solution hosted in Azure. Cloud only identities are used and AD DS is implemented for logging on to VDI (Windows 2016 RDS sessions)

web filtering prevents the users from accessing Office 365 and associated services directly from their corporate devices.

This creates a situation when users are unable to access SSPR to reset their own passwords from their devices, and without valid creds they cannot log on to VDI to perform the reset from there, where access is allowed. 

We want to configure web filtering to allow access SSPR from the corporate network, without allowing access to any other services e.g. office.com

I could use network trace in Fiddler to work out the URLs but hoping for something more supportable.

2 Replies
Solution

@Chris Johnston SSPR network connectivity below are the two link which you need to whitelist.

The most common point of failure is that firewall and or proxy ports and idle timeouts are incorrectly configured, you need outbound HTTPS access to the following:

  • *.passwordreset.microsoftonline.com
  • *.servicebus.windows.net

@Nandan Tripathi thanks for providing the information. I'll configure the white listing accordingly. 

Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
cntvertex in Discussions on
14 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
23 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
28 Replies