Home

Azure AD Connect and ADFS Firewall ports

%3CLINGO-SUB%20id%3D%22lingo-sub-826571%22%20slang%3D%22en-US%22%3EAzure%20AD%20Connect%20and%20ADFS%20Firewall%20ports%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-826571%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EI%20have%20the%20same%20setup%20as%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Freference-connect-ports%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%3Ein%20the%20picture%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bexcept%20for%20the%20Health%20Agent%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20can't%20find%20any%20specifics%20on%20the%20required%20firewall%20ports%20for%20AAD%20Connect%20traffic%20(especially%20inbound).%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Freference-connect-ports%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%3ETable%202%20in%20this%20article%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%3E%26nbsp%3Brefers%20to%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-au%2Foffice365%2Fenterprise%2Furls-and-ip-address-ranges%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%3Ethis%20list%20of%20IPs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%3E%2C%20but%20it%20doesn't%20seem%20right%20that%20to%20allow%20AAD%20Connect%20communication%20one%20has%20to%20open%20all%20these%20IPs%2C%20which%20refer%20to%20Office%20365%20services%20anyway%2C%20so%20I%20am%20a%20bit%20lost%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20arrow%20between%20AAD%20Connect%20server%20and%20AAD%20is%20bidirectional%2C%20so%20I%20assume%20traffic%20flows%20both%20way%2C%20unless%20the%20incoming%20only%20refers%20to%20the%20Health%20agent.%20Can%20it%20be%20that%20AAD%20Connect%20only%20needs%20outbound%20traffic%20and%20not%20inbound%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20have%20seen%20similar%20questions%20in%20other%20forums%20but%20things%20seem%20to%20have%20changed%2C%20or%20at%20least%20are%20still%20unclear%20to%20me%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fstackoverflow.com%2Fquestions%2F51058662%2Fazure-ad-connect-and-azure-ad-connection-issue%2F51074618%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%3EAzure%20AD%20Connect%20and%20Azure%20AD%20Connection%20Issue%3C%2FSPAN%3E%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fstackoverflow.com%2Fquestions%2F50837405%2Fazure-ad-connect-and-azure-ad-firewall%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%3EAZure%20AD%20connect%20and%20Azure%20AD%20firewall%3C%2FSPAN%3E%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-826571%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eadfs%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%20Connect%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EFirewall%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPorts%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-829138%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20and%20ADFS%20Firewall%20ports%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-829138%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70357%22%20target%3D%22_blank%22%3E%40Michele%20Casazza%3C%2FA%3E%26nbsp%3B%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20refer%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-install-prerequisites%23connectivity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-install-prerequisites%23connectivity%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20to%20see%20what%20exact%20Ports%20that%20need%20to%20be%20opened%20both%20Inbound%20and%20Outbound%20%2C%20refer%20this%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Freference-connect-ports%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Freference-connect-ports%3C%2FA%3E%26nbsp%3Band%20for%20URL's%20as%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20at%20Last%20if%20you%20still%20suspect%20connectivity%20issues%20%2C%20please%20troubleshot%20using%20this%20guide%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Ftshoot-connect-connectivity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Ftshoot-connect-connectivity%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%20!!%3C%2FP%3E%3CP%3EAnkit%20Shukla%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-829147%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20and%20ADFS%20Firewall%20ports%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-829147%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F156230%22%20target%3D%22_blank%22%3E%40ankit%20shukla%3C%2FA%3E%26nbsp%3Bthanks%20but%20I%20already%20went%20through%20those%20documents.%20My%20question%20is%20more%20specific%20that's%20why%20I%20referenced%20the%20details%20in%20the%20tables.%20Please%20re-read%20my%20post%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Michele Casazza
Occasional Contributor

I have the same setup as in the picture except for the Health Agent 

I can't find any specifics on the required firewall ports for AAD Connect traffic (especially inbound). Table 2 in this article refers to this list of IPs, but it doesn't seem right that to allow AAD Connect communication one has to open all these IPs, which refer to Office 365 services anyway, so I am a bit lost

The arrow between AAD Connect server and AAD is bidirectional, so I assume traffic flows both way, unless the incoming only refers to the Health agent. Can it be that AAD Connect only needs outbound traffic and not inbound?

I have seen similar questions in other forums but things seem to have changed, or at least are still unclear to me

Azure AD Connect and Azure AD Connection Issue

AZure AD connect and Azure AD firewall

2 Replies
Highlighted

@Michele Casazza  :) 

 

Please refer - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites#...

 

Then to see what exact Ports that need to be opened both Inbound and Outbound , refer this https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-ports and for URL's as well.

 

Then at Last if you still suspect connectivity issues , please troubleshot using this guide - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-connectivity

 

Cheers !!

Ankit Shukla

 

Highlighted

@ankit shukla thanks but I already went through those documents. My question is more specific that's why I referenced the details in the tables. Please re-read my post :)