Home

Why are some Office 365 network endpoints provided as URLs only with no IP Addresses?

%3CLINGO-SUB%20id%3D%22lingo-sub-310490%22%20slang%3D%22en-US%22%3EWhy%20are%20some%20Office%20365%20network%20endpoints%20provided%20as%20URLs%20only%20with%20no%20IP%20Addresses%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-310490%22%20slang%3D%22en-US%22%3E%3CP%3EI%20get%20asked%20this%20from%20time%20to%20time%20where%20people%20will%20point%20to%20some%20of%20the%20Default%20categorized%20URLs%20at%20%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Fo365ip%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Faka.ms%2Fo365ip%3C%2FA%3E.%20People%20will%20tell%20me%20that%20their%20customer%20uses%20a%20firewall%20which%20can%20only%20be%20configured%20with%20IP%20Addresses%20and%20therefore%20they%20cannot%20use%20URLs%20to%20identify%20Office%20365%20network%20traffic.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere's%20a%20brief%20explanation%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIP%20Addresses%20for%20network%20endpoints%20that%20are%20categorized%20as%20Optimize%20and%20Allow%20are%20provided%2C%20but%20for%20the%20worldwide%20commercial%20instance%20no%20IP%20Addresses%20are%20provided%20for%20network%20endpoints%20that%20are%20categorized%20as%20Default.%20Instead%20we%20recommend%20customers%20direct%20Office%20365%20network%20traffic%20that%20goes%20to%20Default%20categorized%20endpoints%20to%20their%20default%20Internet%20egress%20location.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20is%20usually%20some%20kind%20of%20proxy%20server%20which%20will%20review%20and%20send%20the%20request%20to%20the%20Internet%20over%20the%20organizations%20firewall%20and%20the%20firewall%20is%20configured%20to%20allow%20network%20traffic%20from%20the%20proxy%20server.%20Network%20traffic%20bound%20for%20Office%20365%20which%20is%20categorized%20as%20Default%20is%20proxy%20aware%20and%20is%20okay%20to%20manage%20in%20this%20way.%20It's%20the%20same%20as%20if%20a%20user%20enters%20a%20new%20URL%20into%20a%20web%20browser.%20The%20user%20doesn't%20have%20to%20provide%20the%20IP%20Address%20for%20that%20URL.%20Instead%20the%20request%20is%20sent%20to%20a%20proxy%20server.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESome%20of%20these%20Default%20categorized%20endpoints%20are%20hosted%20by%20Microsoft%20and%20some%20are%20third%20party%20hosted%20which%20are%20dependencies%20for%20Office%20365%20where%20Microsoft%20doesn't%20control%20the%20IP%20Addresses.%20Microsoft%20would%20never%20be%20able%20to%20publish%20all%20of%20the%20IP%20Addresses%20required%20for%20third%20party%20dependent%20services%20that%20are%20needed%20for%20Office%20365.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20read%20more%20about%20the%20Office%20365%20network%20endpoint%20categorization%20at%20%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Fpnc%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Faka.ms%2Fpnc%3C%2FA%3E.%20If%20you%20have%20an%20environment%20that%20does%20not%20permit%20Internet%20connectivity%20except%20as%20defined%20on%20a%20firewall%20by%20IP%20Addresses%2C%20you%20may%20have%20more%20work%20here%20but%20my%20experience%20is%20that%20commercial%20organizations%20do%20not%20actually%20do%20this.%20They%20instead%20of%20restrictions%20based%20on%20a%20proxy%20server.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20need%20them%2C%20here's%20all%20IP%20Addresses%20assigned%20to%20Microsoft.%20You%20should%20note%20that%20this%20includes%20IP%20Addresses%20used%20for%20Azure%20cloud%20hosting%20so%20this%20list%26nbsp%3Bincludes%20servers%20managed%20and%20controlled%20by%20Microsoft%20customers.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D53602%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D53602%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389271%22%20slang%3D%22en-US%22%3ERe%3A%20Why%20are%20some%20Office%20365%20network%20endpoints%20provided%20as%20URLs%20only%20with%20no%20IP%20Addresses%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389271%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F204%22%20target%3D%22_blank%22%3E%40Paul%20Andrew%3C%2FA%3E%2C%20all%20the%20discussions%20are%20about%20the%20%22Office%20365%22%20Services.%20What's%20about%20the%20Services%20included%20in%20EMS%20(Intune%2C%20AIP%2C%20...)%20or%20other%20like%20Windows%20ATP%2C%20ATA%2C%20...%20services.%3C%2FP%3E%3CP%3EAre%20these%20included%20in%20the%20Office%20365%20list%20of%20(optimized%2C%20allow%2C%20standard)%20endpoints%3F%3C%2FP%3E%3CP%3EI%20could%20not%20find%20any%20url%20that%20indicates%20they%20are%20included%2C%20but%20maybe%20they%20hide%20behind%20some%20of%20the%20IP%20ranges.%3C%2FP%3E%3CP%3Eit%20would%20help%20us%20temandously%20if%20you%20could%20clarify%20this%20and%20a%20link%20to%20the%20endpoint%20optimization%20of%20the%20non%20%22Office%20365%22%20services%20is%20provided.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EFranck%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Paul Andrew
Microsoft

I get asked this from time to time where people will point to some of the Default categorized URLs at http://aka.ms/o365ip. People will tell me that their customer uses a firewall which can only be configured with IP Addresses and therefore they cannot use URLs to identify Office 365 network traffic.

 

Here's a brief explanation:

 

IP Addresses for network endpoints that are categorized as Optimize and Allow are provided, but for the worldwide commercial instance no IP Addresses are provided for network endpoints that are categorized as Default. Instead we recommend customers direct Office 365 network traffic that goes to Default categorized endpoints to their default Internet egress location.

 

There is usually some kind of proxy server which will review and send the request to the Internet over the organizations firewall and the firewall is configured to allow network traffic from the proxy server. Network traffic bound for Office 365 which is categorized as Default is proxy aware and is okay to manage in this way. It's the same as if a user enters a new URL into a web browser. The user doesn't have to provide the IP Address for that URL. Instead the request is sent to a proxy server.

 

Some of these Default categorized endpoints are hosted by Microsoft and some are third party hosted which are dependencies for Office 365 where Microsoft doesn't control the IP Addresses. Microsoft would never be able to publish all of the IP Addresses required for third party dependent services that are needed for Office 365.

 

You can read more about the Office 365 network endpoint categorization at http://aka.ms/pnc. If you have an environment that does not permit Internet connectivity except as defined on a firewall by IP Addresses, you may have more work here but my experience is that commercial organizations do not actually do this. They instead of restrictions based on a proxy server.

 

If you need them, here's all IP Addresses assigned to Microsoft. You should note that this includes IP Addresses used for Azure cloud hosting so this list includes servers managed and controlled by Microsoft customers. https://www.microsoft.com/en-us/download/details.aspx?id=53602 

 

 

1 Reply

Hi @Paul Andrew, all the discussions are about the "Office 365" Services. What's about the Services included in EMS (Intune, AIP, ...) or other like Windows ATP, ATA, ... services.

Are these included in the Office 365 list of (optimized, allow, standard) endpoints?

I could not find any url that indicates they are included, but maybe they hide behind some of the IP ranges.

it would help us temandously if you could clarify this and a link to the endpoint optimization of the non "Office 365" services is provided.

 

Thanks,

Franck

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
22 Replies
flashing a white screen while open new tab
cntvertex in Discussions on
13 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
28 Replies
PacketMon Components are not loading in WAC 1909
HotCakeX in Windows Admin Center on
2 Replies