Announcing: Office 365 endpoint categories and Office 365 IP Address and URL web service

Paul Andrew · ‎Apr 02 2018

[Originally published for the preview on 4/2/2018 and updated on 7/6/2018. Updated for GA on 9/5/2018]

Announcing: The IP Address and URL web services are generally available from 5th September, 2018.

Microsoft recently published a set of connectivity principles for Office 365 which provides concise guidance on the recommended ways of achieving optimal performance and connectivity to Office 365. The first of these principles is to Identify and differentiate Office 365 network traffic using Microsoft published endpoints. Endpoints include IP Addresses and URLs that are used to connect to Office 365.

The primary benefits of using these web services are that they share the endpoint categories which significantly simplify network perimeter configuration, they are fully automated including automated validation testing them, they can be loaded directly into network devices, and they help automate change management to avoid change related outages. The endpoint categories identify a vital few key network endpoints in the Optimize and Allow categories for Office 365 for which we recommend direct Internet egress.

We use web services because they are easier for customers scripts and network devices to call than web pages. Specific scenarios where you might need this data include:

Updating your perimeter firewall to allow Office 365 network connectivity.
Updating your enterprise proxy server to allow connectivity to Office 365 URLs.
Edit PAC files on your users computers to bypass proxy servers.
Bypassing an SSL decrypting network device for Office 365 network traffic.
Bypassing a CASB service for Office 365 network traffic.
Selecting endpoints for bypassing proxy servers and routing for direct internet access at a branch office user location.

These web services directly offer Office 365 IP Address and URL data in JSON, and CSV format for all five Office 365 service instances including Office 365 worldwide commercial, Office 365 operated by 21 Vianet, Office 365 Germany, Office 365 U.S. Government DoD, and Office 365 U.S. Government GCC High. We also generate HTML pages from the data and RSS feeds are available from the web services to help with change notification.

Here’s a few quick links to the web services you can access right in a web browser. These links are provided for the worldwide Office 365 commercial instance as examples only.

Get the latest version number for the Office 365 worldwide service instance
https://endpoints.office.com/version/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7
Get the current endpoints for the Office 365 worldwide service instance excluding IPv6 IP Addresses
https://endpoints.office.com/endpoints/worldwide?noipv6&ClientRequestId=b10c5ed1-bad1-445f-b386-b919...
Changes to the Office 365 worldwide service instance since 20180828
https://endpoints.office.com/changes/worldwide/2018072800?ClientRequestId=b10c5ed1-bad1-445f-b386-b9...
The RSS feed for changes to the Office 365 worldwide service instance
https://endpoints.office.com/version/worldwide?allversions=true&format=rss&clientrequestid=b10c5ed1-...

The current XML file and the old RSS feed will be available until October 2nd, 2018. If you have automation that uses the XML format, you should update that to use the JSON format data. If you are using the old RSS feed you should either move to the new RSS feed, or use the sample Microsoft Flow we have published for getting emails on changes. Developer usage documentation for the IP Address and URL web services are detailed in Managing Office 365 Endpoints – Web Service.

The web services include three categories for Office 365 network endpoints as attributes of this data which can be used to simplify management of perimeter network devices:

Optimize for a small number of endpoints that require low latency unimpeded connectivity which should bypass proxy servers, network SSL break and inspect devices, and network hairpins. Direct Internet access, such as with SDWAN, is recommended for these endpoints.
Allow for a larger number of endpoints that benefit from low latency unimpeded connectivity but do not require it. It is required to bypass SSL break and inspect on these endpoints and to avoid proxy authentication. Although not expected to cause failures, we also recommend bypassing proxy servers entirely, network hairpins, and other network intermediary devices on these endpoints. Good connectivity to these endpoints is required for Office 365 to operate normally.
Default for other Office 365 endpoints which can be directed to the default internet egress location for the company WAN.

Use of these categories, how they simplify connectivity to Office 365, and what actions you can take to make use of them is detailed in Office 365 Network Connectivity Principles.

The web services and data contained in it are supported by Microsoft. However, you do not need to connect to these web services in order to use Office 365. Keep a local copy of the data and just call them again to check for changes. If you are ever unable to connect to the web services, just use the data you have previously downloaded. When a change is notified, you should have 30 days to make updates.

Documentation links:

Managing Office 365 endpoints – Web Service (including usage documentation for the IP/URL web service)
Office 365 Network Connectivity Principles (including Office 365 endpoint categories)
Using Microsoft Flow to get an email for endpoint changes
Migrating to the new web services based publishing for Office 365 IP Addresses and URLs
Office 365 Tech Community Office 365 Networking Space for questions about use of the web services

Paul Andrew · ‎Sep 03 2018

Hi @Steve Ianson, it's not a mistake. The change you pasted in shows that endpoint set ID 24 was removed and when you look at the new endpoints web method, you find that ID 24 no longer exists. This is consistent with it being removed. You would have to go back to old versions of the endpoint web method to see ID 24.

Regards,

Paul

rob oravec · ‎Sep 10 2018

Hi @Paul Andrew,

Thank you for your work on this.

Some queries around the /changes method please.

Firstly I need some clarity on the disposition please.

Change - This is adding or removing from an existing endpointset?

Add - This is adding a new endpointset?

Remove - This is removing an existing endpointset?

If the above is correct, and in the case of 'Add' for example, how would I know what Category (Optimize, Allow, Default) this new endpointset belongs to (aside from re-running the /endpoints method to get the latest data) as I am only bothered about Optimize and Allow endpoints?

Would it not help to have Category include in the /changes method?

Essentially I am looking to report changes but only if they fall under the Optimize or Allow categories, the /endpoints method would obviously have been run previously.

Many thanks in advance.

RobO

Arjan Anthonisse · ‎Sep 10 2018

We have a customer that uses the XML file. They have trouble using Exchange Online.

The clients try to connect to 40.101.88.200 and 40.101.8.168, but those addresses are not in the XML.

I checked the new list and the addresses are missing there too.

What is wrong? The list, the client or DNS?

rob oravec · ‎Sep 10 2018

@Arjan Anthonisse

40.96.0.0/13 = 40.96.0.0 - 40.103.255.255

That is in the new /endpoint method and the XML.

RobO

Arjan Anthonisse · ‎Sep 10 2018

@rob oravec

Yes, thanks. I found out myself too after remembering to calculate the subnets.

Paul Andrew · ‎Sep 10 2018

Hi @rob oravec,

You should take a look at the doc page which defines what each of those attributes are. https://docs.microsoft.com/en-us/Office365/Enterprise/office-365-ip-web-service#changes-web-method

The web service call model recommended is to call /version regularly, and when you get a new version call both /changes and /endpoints. There's no plan to include all of the /endpoints details in the /changes API.

Regards,

Paul

Mark Joseph Eser Eser Barbadillo · ‎Oct 14 2018

Nice Sharing. I just have one concern. In support perspective. How Microsoft frequently changing IP's which significantly impacting our customer enterprise environment. Do we have any site or portal that we can refer to for any Office 365 service URL and IP's if it gets update?

Steve Ianson · ‎Oct 15 2018

Hi,

We're querying the version web service every hour. The last 2 Saturdays there's been a problem during the same time window (03:00 GMT+1 operation timeout and then intermittently 500 Internal server error until 11:00). Seems too much of a coincidence that it's been fine 24*7 all other days so I'm guessing something is happening this time on a Saturday?

Are there any known maintenance windows we should avoid when polling the service?

Thanks and regards

Steve

Paul Andrew · ‎Oct 15 2018

@Steve Ianson there's no maintenance window. Can you private message me the client request ID that you are using where you saw the errors so that we can look in our logs.

Regards,

Paul

Paul Andrew · ‎Oct 15 2018

@Mark Joseph Eser Eser Barbadillo there are several ways to keep track of changes to Office 365 IP Addresses and URLs. You can subscribe to the RSS feed that we publish at http://aka.ms/o365ip. You can also use the web services which provide updates on the latest version and changes as documented at http://aka.ms/ipurlws. You can also use this example Microsoft Flow which can generate emails and approval cycles within your organization: https://techcommunity.microsoft.com/t5/Office-365-Networking/Use-Microsoft-Flow-to-receive-an-email-...

Regards,

Paul

Mark Joseph Eser Eser Barbadillo · ‎Oct 15 2018

@Steve Ianson, here is the required ID for this complain: 11619785. And that seems we have running issue with SharePoint connectivity as well since OneNote file keep prompting for username and password.

@Paul Andrew, thanks for the info. I'll walk through on it and disseminate to the team.

Massimo M · ‎Oct 16 2018

Hi all, I can't understand how to obtain a simple csv with all IPv4 O365 services from Powershell. I've already tried with the example script on the bottom of the webpage (https://docs.microsoft.com/it-it/Office365/Enterprise/office-365-ip-web-service) but I cannot have the formatted list with these columns: SERVICES - IP Thanks to all

Steve Ianson · ‎Oct 16 2018

@Massimo M

If you're literally after a distinct list of IPv4 by service area and don't care about ports/expressroute etc. then hopefully below should help:

$callerID='67e3114e-f6ab-4dea-97bd-f1ff2acfe882'
#replace this guid with your own (type [guid]::NewGuid().guid to generate a random guid)

#url to call endpoints method with your id and specifying noipv6
$worldWideIP4URL="https://endpoints.office.com/endpoints/Worldwide?NoIPv6=true&ClientRequestId=$callerID"

#make the call
$resultSet=Invoke-RestMethod $worldWideIP4URL

#filter to just those with IP addresses
$resultSetWithIps=$resultSet|Where-Object{$_.ips}

#There may be duplicate IPs listed in a service area so one way to filter to unique IPs per service area is to use hash tables
#Use one hash table for the service areas (key is service area), then for each service area its value is another hashtable containing ips
$serviceAreasHashTable=@{}

#Iterate through each of the returned endpoints
foreach($endpoint in $resultSetWithIps) {
	$serviceAreaDisplayName=$endpoint.serviceAreaDisplayName #get display name of service

	if(!$serviceAreasHashTable.Contains($serviceAreaDisplayName)) {#If we haven't already seen this service yet
		$serviceAreasHashTable.Add($serviceAreaDisplayName,@{}) #add to our hash table and make its value be another hash table (to hold the ips)
	}

	foreach($ip in $endpoint.ips) { #iterate through all the ips for this endpoint
		$serviceAreasHashTable."$serviceAreaDisplayName".$ip='' #store in the 'inner' hash table
	}
}

<#
$serviceAreasHashTable now looks something like this
Name                           Value
----                           -----
SharePoint Online and OneDr... {13.107.9.168/32, 191.235.0.0/20, 13.107.6.150/31, 13.107.6.168/32...}
Exchange Online                {111.221.112.0/21, 213.199.154.0/24, 207.46.163.0/24, 131.253.33.215/32...}
Skype for Business Online a... {138.91.237.237/32, 13.73.1.120/32, 13.89.240.113/32, 13.72.245.115/32...}
Microsoft 365 Common and Of... {13.78.120.70/32, 23.99.109.44/32, 65.52.148.27/32, 104.211.88.16/28...}
#>

$output=@() #an array to hold output ready for csv
#iterate through our service areas hashtable

foreach($serviceArea in $serviceAreasHashTable.keys) {
	#for each service area, iterate through the list of IPs
	foreach($ip in $serviceAreasHashTable.$serviceArea.keys) {
		$output+=New-Object PSObject -Property @{"ServiceArea"=$serviceArea;"IP"=$ip} #add to output array
	}
}

#lastly export output to csv
$output|Export-CSV "youroutputFile.csv" -NoTypeInformation

Massimo M · ‎Oct 17 2018

@Steve Ianson KUDOS FOR YOU!

Many thanks.

null null · ‎Oct 23 2018

Hi,
If I get ClientRequestId once, do I need to get it again?
Once acquired it is permanently usable?
Regards,

Steve Ianson · ‎Oct 24 2018

Hi,

You generate your own random guid (you aren't issued one) and you use that in all your calls:

As per https://docs.microsoft.com/en-us/Office365/Enterprise/office-365-ip-web-service

ClientRequestId - Query string parameter. A required GUID that you generate for client association. You should generate a GUID for each machine that calls the web service. Do not use the GUIDs shown in the following examples because they may be blocked by the web service in the future. GUID format is xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, where x represents a hexadecimal number. To generate a GUID, use the New-Guid PowerShell command.

Regards

Steve

null null · ‎Oct 30 2018

@Steve Ianson,

Thank you for your answer.
Do I need to periodically use the New-Guid PowerShell command for each machine that invokes the Web service?
Does the acquired ClientRequestId have an expiration date?

Regards

Steve Ianson · ‎Oct 31 2018

Hi,

I'm only going by the documentation, but no:

My understanding is it's used to uniquely identify every client machine calling the web service (helps with logging / troubleshooting etc), not for authentication.

So generate a guid for each client you're calling from and use it on that machine indefinitely.

Regards

Steve

jaffer.jobs jaffer.jobs · ‎Nov 02 2018

Thanks Paul

Lets say i want to get FQDN's and IP's for a single application say "YAMMER".

Documentation states - "notes - For optional endpoints, this text describes Office 365 functionality that will be missing if IP addresses or URLs in this endpoint set cannot be accessed at the network layer. Omitted if blank."

Old XML had a product called "YAMMER" and FQDN's and IP's specific to YAMMER.

now for the achieving same effect Can i rely on notes field part of endpoints and extract FQDN's and IP's for "YAMMER" ?

And Can i assume the notes will be updated and maintained just like IPS's and FQDN's ?

Paul Andrew · ‎Nov 02 2018

@jaffer.jobs jaffer.jobs I'm answering on the other pate you posted this since that page includes the answer in the original article.

Regards,

Paul

Xavier Barros · ‎Nov 05 2018

Hi,

Quick question. How can this be (see below) ?

Effective date is older than version date by more than a month ? I have seen other cases in the 2018102900 version where effective date was 20181025 as well. We are supposed to get a month's notice, not to get noticed a month after the changes have actually been implemented !

{
"id": 232,
"endpointSetId": 73,
"disposition": "Change",
"version": "2018102900",
"add": {
"effectiveDate": "20180918",
"urls": [
"informationprotection.hosting.portal.azure.net"
]
}
},

Best regards,

Steve Ianson · ‎Nov 05 2018

@Xavier Barros:

I don't understand this either: the effective date rarely appears to be in the future and when it is, it's only by 1 day. Most of the time, it's in the past.

When the old RSS feed was still being updated, there were examples where the effective date on the feed was 30 days in the future but at the same time, according to the REST service it was the same day/in the past.

For example - RSS feed - note publish date is 01 Aug, effective date was 1st September:

<item>
<description>
Adding a URL; 1/[Effective 9/1/2018. Required: Office 365 Video and Microsoft Stream. ExpressRoute: No. amsglob0cdnstream12.azureedge.net]. Notes: Adding URL.
</description>
<guid>05dfb303-bfd5-4029-be71-07efa204cfc4</guid>
<link>http://aka.ms/o365endpoints</link>
<pubDate>Wed, 01 Aug 2018 08:52:55 GMT</pubDate>
<title>Office 365 Video and Microsoft Stream</title>
</item>

This appears to be the JSON equivalent from the REST service:

  {
    "id": 11,
    "endpointSetId": 42,
    "disposition": "Change",
    "version": "2018073000",
    "add": {
      "effectiveDate": "20180726",
      "urls": [
        "amsglob0cdnstream12.azureedge.net"
      ]
    }
  },

For 'add' entries we're currently ignoring effective date and just assuming it's publish date + 30days because we have nothing else to go on that makes any sense.

Regards

Steve

Paul Andrew · ‎Nov 05 2018

Hi @Steve Ianson and @Xavier Barros,

We publish the effective date as the date provided by the engineering team that owns the change. You see the actual date in the web service /changes/ data whether it includes the 30 days notice of adding an endpoint or not.

Regards,

Paul

Steve Ianson · ‎Nov 06 2018

Hi Paul,

Thanks for the reply. I'm still struggling to understand this though :(

So whenever a new url/ip is added, how do we know how long we have to action this, ie before the IP or url starts being used? I know the policy states we get 30 days' notice.

I only know of 2 dates which are published: the effective date (available in the changes REST service) which is the one that always seems to be in the past or up to I think at most 1 day in the future, and the version number (from the endpoints REST service) from which you can derive the date (which is never in the future).

Do we assume it's version published date plus 30 days? And if so, how would we know if there was ever an exception to the rule requiring an emergency update with less than 30 days' notice?

Thanks

Steve

aarone · ‎Dec 11 2018

I'm sure this change has been helpful to a lot of people with complex Office 365 integrations, but for someone like me that simply has EOP (email passing through Exchange Online and delivering to my on prem. exchange server) with all mailboxes on prem, it's pretty confusing. I spent a few hours jumping through various things and I don't fell confident that I have the correct list of IP addresses that I should be allowing on my receive connector. Can anyone very specifically identify where I can find that list of IPs?

Paul Andrew · ‎Dec 12 2018

Hello @aarone,

If you want to see where Office 365 sends email from today, you should use SPF records. You can view the Office 365 SPF record with this Windows command prompt command:

nslookup -type=txt spf.protection.outlook.com

The IP Address ranges that we publish on the web service include these and additional ones that may be used in the future. This is the list that we recommend enterprise customers apply to firewalls so that they do not experience outages due to failure to address changes and so that configuration for all of Office 365 is simplified. This PowerShell command will get you the EOP ranges from the web service:

(invoke-restmethod -Uri ("https://endpoints.office.com/endpoints/WorldWide?serviceareas=exchange&clientrequestid=" + ([GUID]::NewGuid()).Guid)) | ?{$_.category -in ("Optimize", "Allow") -and $_.serviceArea -eq "Exchange" }

Regards,

Paul

tboggs · ‎Dec 13 2018

I can't find the following IP Addresses (or inclusive subnets) in either the worldwide Endpoints list, even though the URLs are present:

tasks.office.com - 13.107.6.160

Worldwide Endpoints 201811280 with a first octet of 13.

13.106.4.128/25
13.106.56.0/25
13.107.128.0/22
13.107.136.0/22
13.107.140.6/32
13.107.18.10/31
13.107.19.10/31
13.107.3.0/24
13.107.6.150/31
13.107.6.152/31
13.107.6.156/31
13.107.6.168/32
13.107.6.171/32
13.107.64.0/18
13.107.7.190/31
13.107.9.150/31
13.107.9.152/31
13.107.9.156/31
13.107.9.168/32
13.67.50.224/29
13.70.151.216/32
13.71.127.197/32
13.71.201.64/26
13.72.245.115/32
13.73.1.120/32
13.75.126.169/32
13.75.48.16/29
13.75.80.16/29
13.80.125.22/32
13.84.178.101/32
13.89.240.113/32
13.91.91.243/32

Same with watchdog.servicebus.windows.net - 70.37.104.240

Am I not getting the entire list?

Paul Andrew · ‎Dec 13 2018

Hello @tboggs, tasks.office.com is in the Default category of endpoints. You're commenting on the page announcing the endpoints categories here :) The Default category endpoints should be directed to the default Internet egress location and this should not require IP Addresses.

Regards,

Paul

gryonatan · ‎Dec 26 2018

Hi everyone,

we are trying to update our PAC to bypass our proxy for all office365 traffic.

the script on https://docs.microsoft.com/en-us/office365/enterprise/managing-office-365-endpoints#use-a-pac-file-f...

seem to only fetch very partial results when run like this:

>Get-PacFile.ps1 -Type 2 -Instance Worldwide -TenantName redacted -ClientRequestId b10c5ed1-bad1-445f-b386-b919946339a7 -Verbose -ServiceAreas Exchange,Skype,SharePoint,Common

result output:

if(shExpMatch(host, "quicktips.skypeforbusiness.com"))
    {
        return proxyServer;
    }

    if(shExpMatch(host, "*.broadcast.skype.com")
        || shExpMatch(host, "*.lync.com")
        || shExpMatch(host, "*.mail.protection.outlook.com")
        || shExpMatch(host, "*.manage.office.com")
        || shExpMatch(host, "*.msappproxy.net")
        || shExpMatch(host, "*.outlook.office.com")
        || shExpMatch(host, "*.portal.cloudappsecurity.com")
        || shExpMatch(host, "*.protection.office.com")
        || shExpMatch(host, "*.protection.outlook.com")
        || shExpMatch(host, "*.skypeforbusiness.com")
        || shExpMatch(host, "*.teams.microsoft.com")
        || shExpMatch(host, "*broadcast.officeapps.live.com")
        || shExpMatch(host, "*excel.officeapps.live.com")
        || shExpMatch(host, "*onenote.officeapps.live.com")
        || shExpMatch(host, "*powerpoint.officeapps.live.com")
        || shExpMatch(host, "*view.officeapps.live.com")
        || shExpMatch(host, "*visio.officeapps.live.com")
        || shExpMatch(host, "*word-edit.officeapps.live.com")
        || shExpMatch(host, "*word-view.officeapps.live.com")
        || shExpMatch(host, "account.activedirectory.windowsazure.com")
        || shExpMatch(host, "account.office.net")
        || shExpMatch(host, "accounts.accesscontrol.windows.net")
        || shExpMatch(host, "admin.microsoft.com")
        || shExpMatch(host, "adminwebservice.microsoftonline.com")
        || shExpMatch(host, "apc.delve.office.com")
        || shExpMatch(host, "api.login.microsoftonline.com")
        || shExpMatch(host, "api.passwordreset.microsoftonline.com")
        || shExpMatch(host, "aus.delve.office.com")
        || shExpMatch(host, "autologon.microsoftazuread-sso.com")
        || shExpMatch(host, "becws.microsoftonline.com")
        || shExpMatch(host, "broadcast.skype.com")
        || shExpMatch(host, "can.delve.office.com")
        || shExpMatch(host, "clientconfig.microsoftonline-p.net")
        || shExpMatch(host, "companymanager.microsoftonline.com")
        || shExpMatch(host, "delve.office.com")
        || shExpMatch(host, "device.login.microsoftonline.com")
        || shExpMatch(host, "eur.delve.office.com")
        || shExpMatch(host, "gbr.delve.office.com")
        || shExpMatch(host, "graph.microsoft.com")
        || shExpMatch(host, "graph.windows.net")
        || shExpMatch(host, "hip.microsoftonline-p.net")
        || shExpMatch(host, "hipservice.microsoftonline.com")
        || shExpMatch(host, "home.office.com")
        || shExpMatch(host, "ind.delve.office.com")
        || shExpMatch(host, "jerusalemmunicipality.sharepoint.com")
        || shExpMatch(host, "jerusalemmunicipality-my.sharepoint.com")
        || shExpMatch(host, "jpn.delve.office.com")
        || shExpMatch(host, "kor.delve.office.com")
        || shExpMatch(host, "lam.delve.office.com")
        || shExpMatch(host, "login.microsoft.com")
        || shExpMatch(host, "login.microsoftonline.com")
        || shExpMatch(host, "login.microsoftonline-p.com")
        || shExpMatch(host, "login.windows.net")
        || shExpMatch(host, "logincert.microsoftonline.com")
        || shExpMatch(host, "loginex.microsoftonline.com")
        || shExpMatch(host, "login-us.microsoftonline.com")
        || shExpMatch(host, "manage.office.com")
        || shExpMatch(host, "nam.delve.office.com")
        || shExpMatch(host, "nexus.microsoftonline-p.com")
        || shExpMatch(host, "nexus.officeapps.live.com")
        || shExpMatch(host, "nexusrules.officeapps.live.com")
        || shExpMatch(host, "office.live.com")
        || shExpMatch(host, "outlook.office.com")
        || shExpMatch(host, "outlook.office365.com")
        || shExpMatch(host, "passwordreset.microsoftonline.com")
        || shExpMatch(host, "portal.microsoftonline.com")
        || shExpMatch(host, "portal.office.com")
        || shExpMatch(host, "protection.office.com")
        || shExpMatch(host, "provisioningapi.microsoftonline.com")
        || shExpMatch(host, "smtp.office365.com")
        || shExpMatch(host, "suite.office.net")
        || shExpMatch(host, "teams.microsoft.com")
        || shExpMatch(host, "webshell.suite.office.com")
        || shExpMatch(host, "www.office.com"))
    {
        return direct;
    }

for comparison, the PS script that worked with XML list gave this larger output the last time it worked:

if (
shExpMatch(host, "*.aadrm.com")||
dnsDomainIs(host, "*.aadrm.com")||
shExpMatch(host, "*.adhybridhealth.azure.com")||
dnsDomainIs(host, "*.adhybridhealth.azure.com")||
shExpMatch(host, "*.adl.windows.com")||
dnsDomainIs(host, "*.adl.windows.com")||


shExpMatch(host, "*.api.skype.com")||
dnsDomainIs(host, "*.api.skype.com")||
shExpMatch(host, "*.aria.microsoft.com")||
dnsDomainIs(host, "*.aria.microsoft.com")||
shExpMatch(host, "*.asm.skype.com")||
dnsDomainIs(host, "*.asm.skype.com")||
shExpMatch(host, "*.assets-yammer.com")||
dnsDomainIs(host, "*.assets-yammer.com")||


shExpMatch(host, "*.azurerms.com")||
dnsDomainIs(host, "*.azurerms.com")||
shExpMatch(host, "*.blob.core.windows.net")||
dnsDomainIs(host, "*.blob.core.windows.net")||
shExpMatch(host, "*.broadcast.skype.com")||
dnsDomainIs(host, "*.broadcast.skype.com")||
shExpMatch(host, "*.broker.skype.com")||
dnsDomainIs(host, "*.broker.skype.com")||
shExpMatch(host, "*.cc.skype.com")||
dnsDomainIs(host, "*.cc.skype.com")||
shExpMatch(host, "*.cdn.office.net")||
dnsDomainIs(host, "*.cdn.office.net")||
shExpMatch(host, "*.cloudapp.net")||
dnsDomainIs(host, "*.cloudapp.net")||
shExpMatch(host, "*.config.skype.com")||
dnsDomainIs(host, "*.config.skype.com")||
shExpMatch(host, "*.conv.skype.com")||
dnsDomainIs(host, "*.conv.skype.com")||
shExpMatch(host, "*.cqd.lync.com")||
dnsDomainIs(host, "*.cqd.lync.com")||
shExpMatch(host, "*.dc.trouter.io")||
dnsDomainIs(host, "*.dc.trouter.io")||
shExpMatch(host, "*.entrust.net")||
dnsDomainIs(host, "*.entrust.net")||
shExpMatch(host, "*.geotrust.com")||
dnsDomainIs(host, "*.geotrust.com")||
shExpMatch(host, "*.helpshift.com")||
dnsDomainIs(host, "*.helpshift.com")||
shExpMatch(host, "*.hockeyapp.net")||
dnsDomainIs(host, "*.hockeyapp.net")||
shExpMatch(host, "*.infra.lync.com")||
dnsDomainIs(host, "*.infra.lync.com")||
shExpMatch(host, "*.keydelivery.mediaservices.windows.net")||
dnsDomainIs(host, "*.keydelivery.mediaservices.windows.net")||
shExpMatch(host, "*.localytics.com")||
dnsDomainIs(host, "*.localytics.com")||
shExpMatch(host, "*.log.optimizely.com")||
dnsDomainIs(host, "*.log.optimizely.com")||
shExpMatch(host, "*.lync.com")||
dnsDomainIs(host, "*.lync.com")||
shExpMatch(host, "*.mail.protection.outlook.com")||
dnsDomainIs(host, "*.mail.protection.outlook.com")||
shExpMatch(host, "*.manage.office.com")||
dnsDomainIs(host, "*.manage.office.com")||


shExpMatch(host, "*.microsoft.com")||
dnsDomainIs(host, "*.microsoft.com")||
shExpMatch(host, "*.microsoftonline.com")||
dnsDomainIs(host, "*.microsoftonline.com")||
shExpMatch(host, "*.microsoftonline-p.com")||
dnsDomainIs(host, "*.microsoftonline-p.com")||
shExpMatch(host, "*.microsoftonline-p.net")||
dnsDomainIs(host, "*.microsoftonline-p.net")||
shExpMatch(host, "*.msecnd.net")||
dnsDomainIs(host, "*.msecnd.net")||
shExpMatch(host, "*.msedge.net")||
dnsDomainIs(host, "*.msedge.net")||
shExpMatch(host, "*.msg.skype.com")||
dnsDomainIs(host, "*.msg.skype.com")||
shExpMatch(host, "*.msocdn.com")||
dnsDomainIs(host, "*.msocdn.com")||
shExpMatch(host, "*.mstea.ms")||
dnsDomainIs(host, "*.mstea.ms")||


shExpMatch(host, "*.office.com")||
dnsDomainIs(host, "*.office.com")||
shExpMatch(host, "*.office.net")||
dnsDomainIs(host, "*.office.net")||
shExpMatch(host, "*.office365.com")||
dnsDomainIs(host, "*.office365.com")||
shExpMatch(host, "*.omniroot.com")||
dnsDomainIs(host, "*.omniroot.com")||
shExpMatch(host, "*.onenote.com")||
dnsDomainIs(host, "*.onenote.com")||
shExpMatch(host, "*.online.lync.com")||
dnsDomainIs(host, "*.online.lync.com")||
shExpMatch(host, "*.onmicrosoft.com")||
dnsDomainIs(host, "*.onmicrosoft.com")||
shExpMatch(host, "*.outlook.com")||
dnsDomainIs(host, "*.outlook.com")||
shExpMatch(host, "*.outlook.office.com")||
dnsDomainIs(host, "*.outlook.office.com")||
shExpMatch(host, "*.phonefactor.net")||
dnsDomainIs(host, "*.phonefactor.net")||
shExpMatch(host, "*.pipe.aria.microsoft.com")||
dnsDomainIs(host, "*.pipe.aria.microsoft.com")||
shExpMatch(host, "*.pipe.skype.com")||
dnsDomainIs(host, "*.pipe.skype.com")||
shExpMatch(host, "*.portal.cloudappsecurity.com")||
dnsDomainIs(host, "*.portal.cloudappsecurity.com")||
shExpMatch(host, "*.protection.office.com")||
dnsDomainIs(host, "*.protection.office.com")||
shExpMatch(host, "*.protection.outlook.com")||
dnsDomainIs(host, "*.protection.outlook.com")||
shExpMatch(host, "*.public-trust.com")||
dnsDomainIs(host, "*.public-trust.com")||
shExpMatch(host, "*.queue.core.windows.net")||
dnsDomainIs(host, "*.queue.core.windows.net")||
shExpMatch(host, "*.resources.lync.com")||
dnsDomainIs(host, "*.resources.lync.com")||
shExpMatch(host, "*.search.production.apac.trafficmanager.net")||
dnsDomainIs(host, "*.search.production.apac.trafficmanager.net")||
shExpMatch(host, "*.search.production.emea.trafficmanager.net")||
dnsDomainIs(host, "*.search.production.emea.trafficmanager.net")||
shExpMatch(host, "*.search.production.us.trafficmanager.net")||
dnsDomainIs(host, "*.search.production.us.trafficmanager.net")||
shExpMatch(host, "*.secure.skypeassets.com")||
dnsDomainIs(host, "*.secure.skypeassets.com")||
shExpMatch(host, "*.servicebus.windows.net")||
dnsDomainIs(host, "*.servicebus.windows.net")||
shExpMatch(host, "*.sfbassets.com")||
dnsDomainIs(host, "*.sfbassets.com")||
shExpMatch(host, "*.sharepoint.com")||
dnsDomainIs(host, "*.sharepoint.com")||
shExpMatch(host, "*.sharepointonline.com")||
dnsDomainIs(host, "*.sharepointonline.com")||
shExpMatch(host, "*.skypeforbusiness.com")||
dnsDomainIs(host, "*.skypeforbusiness.com")||
shExpMatch(host, "*.staffhub.office.com")||
dnsDomainIs(host, "*.staffhub.office.com")||
shExpMatch(host, "*.store.core.windows.net")||
dnsDomainIs(host, "*.store.core.windows.net")||
shExpMatch(host, "*.streaming.mediaservices.windows.net")||
dnsDomainIs(host, "*.streaming.mediaservices.windows.net")||
shExpMatch(host, "*.svc.ms")||
dnsDomainIs(host, "*.svc.ms")||
shExpMatch(host, "*.symcb.com")||
dnsDomainIs(host, "*.symcb.com")||
shExpMatch(host, "*.symcd.com")||
dnsDomainIs(host, "*.symcd.com")||
shExpMatch(host, "*.table.core.windows.net")||
dnsDomainIs(host, "*.table.core.windows.net")||
shExpMatch(host, "*.teams.microsoft.com")||
dnsDomainIs(host, "*.teams.microsoft.com")||
shExpMatch(host, "*.teams.skype.com")||
dnsDomainIs(host, "*.teams.skype.com")||
shExpMatch(host, "*.tenor.com")||
dnsDomainIs(host, "*.tenor.com")||
shExpMatch(host, "*.um.outlook.com")||
dnsDomainIs(host, "*.um.outlook.com")||
shExpMatch(host, "*.urlp.sfbassets.com")||
dnsDomainIs(host, "*.urlp.sfbassets.com")||
shExpMatch(host, "*.users.storage.live.com")||
dnsDomainIs(host, "*.users.storage.live.com")||
shExpMatch(host, "*.verisign.com")||
dnsDomainIs(host, "*.verisign.com")||
shExpMatch(host, "*.verisign.net")||
dnsDomainIs(host, "*.verisign.net")||
shExpMatch(host, "*.windows.net")||
dnsDomainIs(host, "*.windows.net")||
shExpMatch(host, "*.yammer.com")||
dnsDomainIs(host, "*.yammer.com")||
shExpMatch(host, "*.yammerusercontent.com")||
dnsDomainIs(host, "*.yammerusercontent.com")||
shExpMatch(host, "*broadcast.officeapps.live.com")||
dnsDomainIs(host, "*broadcast.officeapps.live.com")||
shExpMatch(host, "*cdn.onenote.net")||
dnsDomainIs(host, "*cdn.onenote.net")||
shExpMatch(host, "*excel.officeapps.live.com")||
dnsDomainIs(host, "*excel.officeapps.live.com")||
shExpMatch(host, "*-files.sharepoint.com")||
dnsDomainIs(host, "*-files.sharepoint.com")||
shExpMatch(host, "*-my.sharepoint.com")||
dnsDomainIs(host, "*-my.sharepoint.com")||
shExpMatch(host, "*-myfiles.sharepoint.com")||
dnsDomainIs(host, "*-myfiles.sharepoint.com")||
shExpMatch(host, "*onenote.officeapps.live.com")||
dnsDomainIs(host, "*onenote.officeapps.live.com")||
shExpMatch(host, "*powerpoint.officeapps.live.com")||
dnsDomainIs(host, "*powerpoint.officeapps.live.com")||
shExpMatch(host, "*view.officeapps.live.com")||
dnsDomainIs(host, "*view.officeapps.live.com")||
shExpMatch(host, "*visio.officeapps.live.com")||
dnsDomainIs(host, "*visio.officeapps.live.com")||
shExpMatch(host, "*word-edit.officeapps.live.com")||
dnsDomainIs(host, "*word-edit.officeapps.live.com")||
shExpMatch(host, "*word-view.officeapps.live.com")||
dnsDomainIs(host, "*word-view.officeapps.live.com")||
isInNet(host,"104.146.0.0","255.255.224.0")||
isInNet(host,"104.146.128.0","255.255.128.0")||
isInNet(host,"104.209.144.16","255.255.255.248")||
isInNet(host,"104.210.208.16","255.255.255.248")||
isInNet(host,"104.210.220.25","255.255.255.255")||
isInNet(host,"104.210.48.8","255.255.255.248")||
isInNet(host,"104.210.83.160","255.255.255.248")||
isInNet(host,"104.211.16.16","255.255.255.248")||
isInNet(host,"104.211.216.32","255.255.255.224")||
isInNet(host,"104.211.48.16","255.255.255.248")||
isInNet(host,"104.211.88.16","255.255.255.240")||
isInNet(host,"104.214.107.57","255.255.255.255")||
isInNet(host,"104.214.146.199","255.255.255.255")||
isInNet(host,"104.215.11.144","255.255.255.255")||
isInNet(host,"104.215.144.64","255.255.255.248")||
isInNet(host,"104.215.184.16","255.255.255.248")||
isInNet(host,"104.215.28.42","255.255.255.255")||
isInNet(host,"104.215.62.195","255.255.255.255")||
isInNet(host,"104.215.96.24","255.255.255.248")||
isInNet(host,"104.40.179.160","255.255.255.255")||
isInNet(host,"104.40.211.46","255.255.255.255")||
isInNet(host,"104.40.234.17","255.255.255.255")||
isInNet(host,"104.40.240.48","255.255.255.240")||
isInNet(host,"104.41.13.120","255.255.255.248")||
isInNet(host,"104.41.216.16","255.255.255.240")||
isInNet(host,"104.42.230.91","255.255.255.255")||
isInNet(host,"104.42.72.16","255.255.255.248")||
isInNet(host,"104.43.208.16","255.255.255.248")||
isInNet(host,"104.43.21.58","255.255.255.255")||
isInNet(host,"104.43.240.16","255.255.255.248")||
isInNet(host,"104.44.218.128","255.255.255.128")||
isInNet(host,"104.44.254.128","255.255.255.128")||
isInNet(host,"104.44.255.0","255.255.255.128")||
isInNet(host,"104.45.0.16","255.255.255.240")||
isInNet(host,"104.45.208.104","255.255.255.248")||
isInNet(host,"104.46.112.8","255.255.255.248")||
isInNet(host,"104.46.224.64","255.255.255.240")||
isInNet(host,"104.46.62.41","255.255.255.255")||
isInNet(host,"104.47.0.0","255.255.128.0")||
isInNet(host,"111.221.112.0","255.255.248.0")||
isInNet(host,"13.106.4.128","255.255.255.128")||
isInNet(host,"13.106.56.0","255.255.255.128")||
isInNet(host,"13.107.12.51","255.255.255.255")||
isInNet(host,"13.107.128.0","255.255.252.0")||
isInNet(host,"13.107.136.0","255.255.252.0")||
isInNet(host,"13.107.140.6","255.255.255.255")||
isInNet(host,"13.107.18.10","255.255.255.254")||
isInNet(host,"13.107.19.10","255.255.255.254")||
isInNet(host,"13.107.3.0","255.255.255.0")||
isInNet(host,"13.107.6.150","255.255.255.254")||
isInNet(host,"13.107.6.152","255.255.255.254")||
isInNet(host,"13.107.6.156","255.255.255.254")||
isInNet(host,"13.107.6.158","255.255.255.254")||
isInNet(host,"13.107.6.160","255.255.255.255")||
isInNet(host,"13.107.6.168","255.255.255.255")||
isInNet(host,"13.107.6.171","255.255.255.255")||
isInNet(host,"13.107.64.0","255.255.192.0")||
isInNet(host,"13.107.7.190","255.255.255.254")||
isInNet(host,"13.107.9.150","255.255.255.254")||
isInNet(host,"13.107.9.152","255.255.255.254")||
isInNet(host,"13.107.9.156","255.255.255.254")||
isInNet(host,"13.107.9.158","255.255.255.254")||
isInNet(host,"13.107.9.160","255.255.255.255")||
isInNet(host,"13.107.9.168","255.255.255.255")||
isInNet(host,"13.67.50.224","255.255.255.248")||
isInNet(host,"13.70.151.216","255.255.255.255")||
isInNet(host,"13.71.127.197","255.255.255.255")||
isInNet(host,"13.71.151.88","255.255.255.255")||
isInNet(host,"13.71.201.64","255.255.255.192")||
isInNet(host,"13.72.245.115","255.255.255.255")||
isInNet(host,"13.73.1.120","255.255.255.255")||
isInNet(host,"13.75.126.169","255.255.255.255")||
isInNet(host,"13.75.48.16","255.255.255.248")||
isInNet(host,"13.75.80.16","255.255.255.248")||
isInNet(host,"13.76.138.63","255.255.255.255")||
isInNet(host,"13.78.120.159","255.255.255.255")||
isInNet(host,"13.78.120.69","255.255.255.255")||
isInNet(host,"13.78.120.70","255.255.255.255")||
isInNet(host,"13.80.125.22","255.255.255.255")||
isInNet(host,"13.80.22.71","255.255.255.255")||
isInNet(host,"13.84.178.101","255.255.255.255")||
isInNet(host,"13.84.218.185","255.255.255.255")||
isInNet(host,"13.84.219.100","255.255.255.255")||
isInNet(host,"13.87.36.128","255.255.255.255")||
isInNet(host,"13.88.17.54","255.255.255.255")||
isInNet(host,"13.89.240.113","255.255.255.255")||
isInNet(host,"13.91.91.243","255.255.255.255")||
isInNet(host,"13.92.236.241","255.255.255.255")||
isInNet(host,"13.93.164.45","255.255.255.255")||
isInNet(host,"13.95.29.177","255.255.255.255")||
isInNet(host,"13.95.30.46","255.255.255.255")||
isInNet(host,"131.253.33.215","255.255.255.255")||
isInNet(host,"132.245.0.0","255.255.0.0")||
isInNet(host,"132.245.165.0","255.255.255.128")||
isInNet(host,"134.170.116.0","255.255.255.128")||
isInNet(host,"134.170.148.0","255.255.252.0")||
isInNet(host,"134.170.165.0","255.255.255.128")||
isInNet(host,"134.170.172.128","255.255.255.128")||
isInNet(host,"134.170.200.0","255.255.248.0")||
isInNet(host,"134.170.208.0","255.255.248.0")||
isInNet(host,"134.170.67.0","255.255.255.128")||
isInNet(host,"134.170.68.0","255.255.254.0")||
isInNet(host,"138.91.237.237","255.255.255.255")||
isInNet(host,"150.171.32.0","255.255.252.0")||
isInNet(host,"150.171.40.0","255.255.252.0")||
isInNet(host,"157.55.130.0","255.255.255.128")||
isInNet(host,"157.55.145.0","255.255.255.128")||
isInNet(host,"157.55.155.0","255.255.255.128")||
isInNet(host,"157.55.227.192","255.255.255.192")||
isInNet(host,"157.55.234.0","255.255.255.0")||
isInNet(host,"157.55.45.128","255.255.255.128")||
isInNet(host,"157.55.59.128","255.255.255.128")||
isInNet(host,"157.56.110.0","255.255.254.0")||
isInNet(host,"157.56.112.0","255.255.255.0")||
isInNet(host,"157.56.151.0","255.255.255.128")||
isInNet(host,"157.56.232.0","255.255.248.0")||
isInNet(host,"157.56.240.0","255.255.240.0")||
isInNet(host,"157.56.53.128","255.255.255.128")||
isInNet(host,"157.56.55.0","255.255.255.128")||
isInNet(host,"157.56.58.0","255.255.255.128")||
isInNet(host,"168.61.149.234","255.255.255.255")||
isInNet(host,"168.62.106.224","255.255.255.255")||
isInNet(host,"168.63.92.133","255.255.255.255")||
isInNet(host,"191.232.0.0","255.255.254.0")||
isInNet(host,"191.232.2.128","255.255.255.128")||
isInNet(host,"191.232.96.0","255.255.224.0")||
isInNet(host,"191.234.140.0","255.255.252.0")||
isInNet(host,"191.234.6.152","255.255.255.255")||
isInNet(host,"191.235.0.0","255.255.240.0")||
isInNet(host,"191.236.108.93","255.255.255.255")||
isInNet(host,"191.236.157.212","255.255.255.255")||
isInNet(host,"191.237.248.32","255.255.255.248")||
isInNet(host,"191.237.252.192","255.255.255.240")||
isInNet(host,"20.190.128.0","255.255.192.0")||
isInNet(host,"204.79.197.215","255.255.255.255")||
isInNet(host,"206.191.224.0","255.255.224.0")||
isInNet(host,"207.46.100.0","255.255.255.0")||
isInNet(host,"207.46.140.244","255.255.255.255")||
isInNet(host,"207.46.141.38","255.255.255.255")||
isInNet(host,"207.46.163.0","255.255.255.0")||
isInNet(host,"207.46.216.54","255.255.255.255")||
isInNet(host,"207.46.73.250","255.255.255.255")||
isInNet(host,"213.199.154.0","255.255.255.0")||
isInNet(host,"213.199.180.128","255.255.255.192")||
isInNet(host,"216.32.180.0","255.255.254.0")||
isInNet(host,"23.100.101.112","255.255.255.240")||
isInNet(host,"23.100.104.16","255.255.255.240")||
isInNet(host,"23.100.112.64","255.255.255.248")||
isInNet(host,"23.100.120.64","255.255.255.248")||
isInNet(host,"23.100.16.168","255.255.255.248")||
isInNet(host,"23.100.32.136","255.255.255.248")||
isInNet(host,"23.100.64.24","255.255.255.248")||
isInNet(host,"23.100.72.32","255.255.255.248")||
isInNet(host,"23.100.80.64","255.255.255.248")||
isInNet(host,"23.100.88.32","255.255.255.248")||
isInNet(host,"23.101.144.136","255.255.255.248")||
isInNet(host,"23.101.165.168","255.255.255.248")||
isInNet(host,"23.101.181.128","255.255.255.248")||
isInNet(host,"23.101.210.24","255.255.255.248")||
isInNet(host,"23.101.222.240","255.255.255.240")||
isInNet(host,"23.101.224.16","255.255.255.248")||
isInNet(host,"23.101.226.16","255.255.255.240")||
isInNet(host,"23.101.5.104","255.255.255.248")||
isInNet(host,"23.102.232.134","255.255.255.255")||
isInNet(host,"23.103.132.0","255.255.252.0")||
isInNet(host,"23.103.136.0","255.255.248.0")||
isInNet(host,"23.103.144.0","255.255.240.0")||
isInNet(host,"23.103.160.0","255.255.240.0")||
isInNet(host,"23.103.198.0","255.255.254.0")||
isInNet(host,"23.103.200.0","255.255.252.0")||
isInNet(host,"23.103.224.0","255.255.224.0")||
isInNet(host,"23.96.241.70","255.255.255.255")||
isInNet(host,"23.96.251.50","255.255.255.255")||
isInNet(host,"23.96.253.65","255.255.255.255")||
isInNet(host,"23.97.78.94","255.255.255.255")||
isInNet(host,"40.104.0.0","255.254.0.0")||
isInNet(host,"40.107.0.0","255.255.128.0")||
isInNet(host,"40.108.0.0","255.255.224.0")||
isInNet(host,"40.108.128.0","255.255.128.0")||
isInNet(host,"40.112.144.173","255.255.255.255")||
isInNet(host,"40.112.145.113","255.255.255.255")||
isInNet(host,"40.112.64.16","255.255.255.240")||
isInNet(host,"40.113.192.16","255.255.255.248")||
isInNet(host,"40.113.91.234","255.255.255.255")||
isInNet(host,"40.114.120.16","255.255.255.248")||
isInNet(host,"40.115.152.16","255.255.255.240")||
isInNet(host,"40.117.229.133","255.255.255.255")||
isInNet(host,"40.117.229.194","255.255.255.255")||
isInNet(host,"40.124.8.53","255.255.255.255")||
isInNet(host,"40.126.0.0","255.255.192.0")||
isInNet(host,"40.127.67.24","255.255.255.248")||
isInNet(host,"40.76.54.117","255.255.255.255")||
isInNet(host,"40.78.62.210","255.255.255.255")||
isInNet(host,"40.81.156.153","255.255.255.255")||
isInNet(host,"40.81.156.154","255.255.255.255")||
isInNet(host,"40.81.156.155","255.255.255.255")||
isInNet(host,"40.81.156.156","255.255.255.255")||
isInNet(host,"40.83.120.174","255.255.255.255")||
isInNet(host,"40.83.127.89","255.255.255.255")||
isInNet(host,"40.83.185.155","255.255.255.255")||
isInNet(host,"40.84.145.72","255.255.255.255")||
isInNet(host,"40.84.2.83","255.255.255.255")||
isInNet(host,"40.84.4.119","255.255.255.255")||
isInNet(host,"40.84.4.93","255.255.255.255")||
isInNet(host,"40.90.218.196","255.255.255.255")||
isInNet(host,"40.90.218.197","255.255.255.255")||
isInNet(host,"40.90.218.198","255.255.255.255")||
isInNet(host,"40.90.218.203","255.255.255.255")||
isInNet(host,"40.92.0.0","255.252.0.0")||
isInNet(host,"40.96.0.0","255.248.0.0")||
isInNet(host,"51.140.143.149","255.255.255.255")||
isInNet(host,"51.140.155.234","255.255.255.255")||
isInNet(host,"51.140.203.190","255.255.255.255")||
isInNet(host,"51.141.51.76","255.255.255.255")||
isInNet(host,"51.142.213.184","255.255.255.255")||
isInNet(host,"52.100.0.0","255.252.0.0")||
isInNet(host,"52.104.0.0","255.252.0.0")||
isInNet(host,"52.108.0.0","255.252.0.0")||
isInNet(host,"52.112.0.0","255.252.0.0")||
isInNet(host,"52.163.126.215","255.255.255.255")||
isInNet(host,"52.163.93.38","255.255.255.255")||
isInNet(host,"52.164.121.65","255.255.255.255")||
isInNet(host,"52.164.124.124","255.255.255.255")||
isInNet(host,"52.164.127.6","255.255.255.255")||
isInNet(host,"52.168.128.89","255.255.255.255")||
isInNet(host,"52.168.177.42","255.255.255.255")||
isInNet(host,"52.170.21.67","255.255.255.255")||
isInNet(host,"52.172.144.16","255.255.255.240")||
isInNet(host,"52.172.185.18","255.255.255.255")||
isInNet(host,"52.174.56.180","255.255.255.255")||
isInNet(host,"52.178.144.25","255.255.255.255")||
isInNet(host,"52.178.147.210","255.255.255.255")||
isInNet(host,"52.178.161.139","255.255.255.255")||
isInNet(host,"52.178.94.2","255.255.255.255")||
isInNet(host,"52.183.75.62","255.255.255.255")||
isInNet(host,"52.184.165.82","255.255.255.255")||
isInNet(host,"52.225.223.43","255.255.255.255")||
isInNet(host,"52.228.25.96","255.255.255.255")||
isInNet(host,"52.231.207.185","255.255.255.255")||
isInNet(host,"52.231.36.175","255.255.255.255")||
isInNet(host,"52.233.242.192","255.255.255.255")||
isInNet(host,"52.238.106.116","255.255.255.255")||
isInNet(host,"52.238.119.141","255.255.255.255")||
isInNet(host,"52.238.78.88","255.255.255.255")||
isInNet(host,"52.242.23.189","255.255.255.255")||
isInNet(host,"52.244.160.207","255.255.255.255")||
isInNet(host,"52.247.150.191","255.255.255.255")||
isInNet(host,"52.96.0.0","255.252.0.0")||
isInNet(host,"65.52.1.16","255.255.255.248")||
isInNet(host,"65.52.193.136","255.255.255.248")||
isInNet(host,"65.52.220.46","255.255.255.255")||
isInNet(host,"65.54.170.128","255.255.255.128")||
isInNet(host,"65.55.169.0","255.255.255.0")||
isInNet(host,"65.55.239.168","255.255.255.255")||
isInNet(host,"65.55.88.0","255.255.255.0")||
isInNet(host,"70.37.154.128","255.255.255.128")||
isInNet(host,"94.245.117.53","255.255.255.255")||
isInNet(host,"94.245.120.64","255.255.255.192")||
dnsDomainIs(host, "account.activedirectory.windowsazure.com")||
dnsDomainIs(host, "account.office.net")||
dnsDomainIs(host, "accounts.accesscontrol.windows.net")||
dnsDomainIs(host, "activation.sls.microsoft.com")||
dnsDomainIs(host, "ad.atdmt.com")||
dnsDomainIs(host, "admin.microsoft.com")||
dnsDomainIs(host, "admin.onedrive.com")||
dnsDomainIs(host, "adminwebservice.microsoftonline.com")||
dnsDomainIs(host, "agent.office.net")||
dnsDomainIs(host, "aia.entrust.net")||
dnsDomainIs(host, "Ajax.aspnetcdn.com")||
dnsDomainIs(host, "ajax.microsoft.com")||
dnsDomainIs(host, "aka.ms")||
dnsDomainIs(host, "amp.azure.net")||


dnsDomainIs(host, "analytics.localytics.com")||
dnsDomainIs(host, "apc.delve.office.com")||
dnsDomainIs(host, "api.informationprotection.azure.com")||
dnsDomainIs(host, "api.localytics.com")||
dnsDomainIs(host, "api.login.microsoftonline.com")||

dnsDomainIs(host, "api.office.com")||
dnsDomainIs(host, "api.passwordreset.microsoftonline.com")||
dnsDomainIs(host, "apis.live.net")||
dnsDomainIs(host, "apps.identrust.com")||
dnsDomainIs(host, "appsforoffice.microsoft.com")||
dnsDomainIs(host, "asl.configure.office.com")||
dnsDomainIs(host, "assets.onestore.ms")||
dnsDomainIs(host, "aus.delve.office.com")||
dnsDomainIs(host, "auth.gfx.ms")||
shExpMatch(host, "autodiscover-*.outlook.com")||
dnsDomainIs(host, "autodiscover-*.outlook.com")||
dnsDomainIs(host, "autologon.microsoftazuread-sso.com")||

dnsDomainIs(host, "az826701.vo.msecnd.net")||
dnsDomainIs(host, "becws.microsoftonline.com")||
dnsDomainIs(host, "broadcast.skype.com")||
dnsDomainIs(host, "browser.pipe.aria.microsoft.com")||
dnsDomainIs(host, "c.bing.net")||
dnsDomainIs(host, "c.microsoft.com")||
dnsDomainIs(host, "c1.microsoft.com")||
dnsDomainIs(host, "cacert.a.omniroot.com")||
dnsDomainIs(host, "cacert.omniroot.com")||
dnsDomainIs(host, "cacerts.digicert.com")||
dnsDomainIs(host, "can.delve.office.com")||
dnsDomainIs(host, "ccs.login.microsoftonline.com")||
dnsDomainIs(host, "cdn.odc.officeapps.live.com")||
dnsDomainIs(host, "Cdn.onenote.net")||
dnsDomainIs(host, "Cdn.optimizely.com")||
dnsDomainIs(host, "cdn.sharepointonline.com")||
dnsDomainIs(host, "cdp1.public-trust.com")||
dnsDomainIs(host, "cert.int-x3.letsencrypt.org")||
dnsDomainIs(host, "click.email.microsoftonline.com")||
dnsDomainIs(host, "client.hip.live.com")||
dnsDomainIs(host, "clientconfig.microsoftonline-p.net")||
dnsDomainIs(host, "clientlog.portal.office.com")||
dnsDomainIs(host, "companymanager.microsoftonline.com")||
dnsDomainIs(host, "compass-ssl.microsoft.com")||
dnsDomainIs(host, "config.edge.skype.com")||
dnsDomainIs(host, "connect.facebook.net")||
dnsDomainIs(host, "contentstorage.osi.office.net")||
dnsDomainIs(host, "crl.entrust.net")||
dnsDomainIs(host, "crl.globalsign.com")||
dnsDomainIs(host, "crl.globalsign.net")||
dnsDomainIs(host, "crl.identrust.com")||
dnsDomainIs(host, "crl.microsoft.com")||
dnsDomainIs(host, "crl3.digicert.com")||
dnsDomainIs(host, "crl4.digicert.com")||
dnsDomainIs(host, "cs.microsoft.com")||
dnsDomainIs(host, "cus-000.tasks.osi.office.net")||
dnsDomainIs(host, "cus-odc.officeapps.live.com")||
dnsDomainIs(host, "cus-roaming.officeapps.live.com")||
dnsDomainIs(host, "dc.applicationinsights.microsoft.com")||
dnsDomainIs(host, "dc.services.visualstudio.com")||
dnsDomainIs(host, "delve.office.com")||
dnsDomainIs(host, "device.login.microsoftonline.com")||
dnsDomainIs(host, "dgps.support.microsoft.com")||
dnsDomainIs(host, "docs.microsoft.com")||
dnsDomainIs(host, "domains.live.com")||
dnsDomainIs(host, "ea-000.forms.osi.office.net")||
dnsDomainIs(host, "ea-000.ocws.officeapps.live.com")||
dnsDomainIs(host, "ea-000.tasks.osi.office.net")||
dnsDomainIs(host, "ea-roaming.officeapps.live.com")||
dnsDomainIs(host, "ecn.dev.virtualearth.net")||
dnsDomainIs(host, "enterpriseregistration.windows.net")||
dnsDomainIs(host, "equivio.office.com")||
shExpMatch(host, "equivioprod*.cloudapp.net")||
dnsDomainIs(host, "equivioprod*.cloudapp.net")||
dnsDomainIs(host, "eur.delve.office.com")||
dnsDomainIs(host, "eus2-000.forms.osi.office.net")||
dnsDomainIs(host, "Eus2-000.ocws.officeapps.live.com")||
dnsDomainIs(host, "eus2-roaming.officeapps.live.com")||
dnsDomainIs(host, "eus-odc.officeapps.live.com")||
dnsDomainIs(host, "eus-www.sway-cdn.com")||
dnsDomainIs(host, "eus-www.sway-extensions.com")||
dnsDomainIs(host, "eus-zzz.tasks.osi.office.net")||
dnsDomainIs(host, "EVIntl-aia.verisign.com")||
dnsDomainIs(host, "EVIntl-crl.verisign.com")||
dnsDomainIs(host, "EVIntl-ocsp.verisign.com")||
dnsDomainIs(host, "evsecure-aia.verisign.com")||
dnsDomainIs(host, "EVSecure-crl.verisign.com")||
dnsDomainIs(host, "EVSecure-ocsp.verisign.com")||
dnsDomainIs(host, "excelbingmap.firstpartyapps.oaspapps.com")||
dnsDomainIs(host, "excelcs.officeapps.live.com")||
dnsDomainIs(host, "feedback.skype.com")||
dnsDomainIs(host, "firstpartyapps.oaspapps.com")||
dnsDomainIs(host, "forms.microsoft.com")||
dnsDomainIs(host, "forms.office.com")||
dnsDomainIs(host, "g.live.com")||
dnsDomainIs(host, "gbr.delve.office.com")||
dnsDomainIs(host, "go.microsoft.com")||
dnsDomainIs(host, "graph.microsoft.com")||
dnsDomainIs(host, "graph.windows.net")||
dnsDomainIs(host, "hip.microsoftonline-p.net")||
dnsDomainIs(host, "hipservice.microsoftonline.com")||
dnsDomainIs(host, "home.office.com")||
dnsDomainIs(host, "ind.delve.office.com")||
dnsDomainIs(host, "insertmedia.bing.office.net")||
dnsDomainIs(host, "isrg.trustid.ocsp.identrust.com")||
dnsDomainIs(host, "jpn.delve.office.com")||
dnsDomainIs(host, "kor.delve.office.com")||
dnsDomainIs(host, "lam.delve.office.com")||
dnsDomainIs(host, "latest-swx.cdn.skype.com")||
dnsDomainIs(host, "login.live.com")||
dnsDomainIs(host, "login.microsoft.com")||
dnsDomainIs(host, "login.microsoftonline.com")||
dnsDomainIs(host, "login.microsoftonline-p.com")||
dnsDomainIs(host, "login.windows.net")||
dnsDomainIs(host, "logincert.microsoftonline.com")||
dnsDomainIs(host, "loginex.microsoftonline.com")||
dnsDomainIs(host, "login-us.microsoftonline.com")||
dnsDomainIs(host, "management.azure.com")||
dnsDomainIs(host, "mem.gfx.ms")||
dnsDomainIs(host, "mlccdnprod.azureedge.net")||
dnsDomainIs(host, "mobile.pipe.aria.microsoft.com")||
dnsDomainIs(host, "mrodevicemgr.officeapps.live.com")||
dnsDomainIs(host, "mscrl.microsoft.com")||
dnsDomainIs(host, "msdn.microsoft.com")||
dnsDomainIs(host, "mshrcstorageprod.blob.core.windows.net")||
dnsDomainIs(host, "nam.delve.office.com")||
dnsDomainIs(host, "ncus-000.ocws.officeapps.live.com")||
dnsDomainIs(host, "ncus-odc.officeapps.live.com")||
dnsDomainIs(host, "ncus-roaming.officeapps.live.com")||
dnsDomainIs(host, "neu-000.forms.osi.office.net")||
dnsDomainIs(host, "neu-000.ocws.officeapps.live.com")||
dnsDomainIs(host, "neu-000.tasks.osi.office.net")||
dnsDomainIs(host, "neu-odc.officeapps.live.com")||
dnsDomainIs(host, "neu-roaming.officeapps.live.com")||
dnsDomainIs(host, "nexus.microsoftonline-p.com")||
dnsDomainIs(host, "nexus.officeapps.live.com")||
dnsDomainIs(host, "nexusrules.officeapps.live.com")||

dnsDomainIs(host, "o365diagnosticsbasic-eus.cloudapp.net")||
dnsDomainIs(host, "o365diagnosticworker-eus.cloudapp.net")||
dnsDomainIs(host, "ocos-office365-s2s.msedge.net")||
dnsDomainIs(host, "ocsa.officeapps.live.com")||
dnsDomainIs(host, "ocsp.digicert.com")||
dnsDomainIs(host, "ocsp.entrust.net")||
dnsDomainIs(host, "ocsp.globalsign.com")||
dnsDomainIs(host, "ocsp.int-x3.letsencrypt.org")||
dnsDomainIs(host, "ocsp.msocsp.com")||
dnsDomainIs(host, "ocsp.omniroot.com")||
dnsDomainIs(host, "ocsp2.globalsign.com")||
dnsDomainIs(host, "ocspx.digicert.com")||
dnsDomainIs(host, "ocsredir.officeapps.live.com")||
dnsDomainIs(host, "ocws.officeapps.live.com")||
dnsDomainIs(host, "office.live.com")||
dnsDomainIs(host, "office15client.microsoft.com")||
dnsDomainIs(host, "office365servicehealthcommunications.cloudapp.net")||
dnsDomainIs(host, "office365zoom.cloudapp.net")||
dnsDomainIs(host, "officeapps.live.com")||
dnsDomainIs(host, "officecdn.microsoft.com")||
dnsDomainIs(host, "officecdn.microsoft.com.edgesuite.net")||
dnsDomainIs(host, "officeclient.microsoft.com")||
dnsDomainIs(host, "officepreviewredir.microsoft.com")||
dnsDomainIs(host, "officeredir.microsoft.com")||
dnsDomainIs(host, "officespeech.platform.bing.com")||
dnsDomainIs(host, "ols.officeapps.live.com")||
dnsDomainIs(host, "omextemplates.content.office.net")||
dnsDomainIs(host, "Oneclient.sfx.ms")||
dnsDomainIs(host, "outlook.office365.com")||
dnsDomainIs(host, "outlook.uservoice.com")||
dnsDomainIs(host, "passwordreset.microsoftonline.com")||
dnsDomainIs(host, "peoplegraph.firstpartyapps.oaspapps.com")||
dnsDomainIs(host, "pipe.skype.com")||
dnsDomainIs(host, "platform.linkedin.com")||
dnsDomainIs(host, "policykeyservice.dc.ad.msft.net")||
dnsDomainIs(host, "portal.microsoftonline.com")||
dnsDomainIs(host, "portal.office.com")||
dnsDomainIs(host, "pptcs.officeapps.live.com")||
dnsDomainIs(host, "privatecdn.sharepointonline.com")||
dnsDomainIs(host, "prod.firstpartyapps.oaspapps.com.akadns.net")||
dnsDomainIs(host, "prod.msocdn.com")||
dnsDomainIs(host, "prod.registrar.skype.com")||
dnsDomainIs(host, "prod.tpc.skype.com")||
dnsDomainIs(host, "products.office.com")||
dnsDomainIs(host, "protection.office.com")||
dnsDomainIs(host, "provisioningapi.microsoftonline.com")||
dnsDomainIs(host, "publiccdn.sharepointonline.com")||
dnsDomainIs(host, "quicktips.skypeforbusiness.com")||
dnsDomainIs(host, "r.office.microsoft.com")||
dnsDomainIs(host, "r1.res.office365.com")||
dnsDomainIs(host, "r3.res.office365.com")||

dnsDomainIs(host, "r4.res.office365.com")||
dnsDomainIs(host, "res.delve.office.com")||
dnsDomainIs(host, "rink.hockeyapp.net")||
dnsDomainIs(host, "roaming.officeapps.live.com")||
dnsDomainIs(host, "s-0001.s-msedge.net")||
dnsDomainIs(host, "s-0004.s-msedge.net")||
dnsDomainIs(host, "s1.symcb.com")||
dnsDomainIs(host, "s2.symcb.com")||
dnsDomainIs(host, "sa.symcb.com")||
dnsDomainIs(host, "sas.officeapps.live.com")||
dnsDomainIs(host, "scsinstrument-ss-us.trafficmanager.net")||
dnsDomainIs(host, "scsquery-ss-asia.trafficmanager.net")||
dnsDomainIs(host, "scsquery-ss-eu.trafficmanager.net")||
dnsDomainIs(host, "scsquery-ss-us.trafficmanager.net")||
dnsDomainIs(host, "scus-000.ocws.officeapps.live.com")||
dnsDomainIs(host, "scus-odc.officeapps.live.com")||
dnsDomainIs(host, "scus-roaming.officeapps.live.com")||
dnsDomainIs(host, "sd.symcb.com")||
dnsDomainIs(host, "sdk.hockeyapp.net")||
dnsDomainIs(host, "sea-000.tasks.osi.office.net")||
dnsDomainIs(host, "sea-odc.officeapps.live.com")||
dnsDomainIs(host, "sea-roaming.officeapps.live.com")||
dnsDomainIs(host, "secure.aadcdn.microsoftonline-p.com")||
dnsDomainIs(host, "secure.globalsign.com")||
dnsDomainIs(host, "securescore.office.com")||
dnsDomainIs(host, "shellprod.msocdn.com")||
dnsDomainIs(host, "signup.microsoft.com")||
dnsDomainIs(host, "site-cdn.onenote.net")||
dnsDomainIs(host, "skydrive.wns.windows.com")||
dnsDomainIs(host, "Skypegraph.skype.com")||
dnsDomainIs(host, "skypemaprdsitus.trafficmanager.net")||
dnsDomainIs(host, "smtp.office365.com")||
dnsDomainIs(host, "spoprod-a.akamaihd.net")||
dnsDomainIs(host, "sr.symcb.com")||
dnsDomainIs(host, "sr.symcd.com")||
dnsDomainIs(host, "ssw.live.com")||
dnsDomainIs(host, "staffhub.ms")||
dnsDomainIs(host, "staffhub.office.com")||
dnsDomainIs(host, "staffhub.uservoice.com")||
dnsDomainIs(host, "staffhubweb.azureedge.net")||
dnsDomainIs(host, "stamp2.login.microsoftonline.com")||
dnsDomainIs(host, "static.sharepointonline.com")||
dnsDomainIs(host, "storage.live.com")||
dnsDomainIs(host, "store.office.com")||
dnsDomainIs(host, "su.symcb.com")||
dnsDomainIs(host, "su.symcd.com")||
dnsDomainIs(host, "suite.office.net")||
dnsDomainIs(host, "support.content.office.net")||
dnsDomainIs(host, "support.microsoft.com")||
dnsDomainIs(host, "support.office.com")||
dnsDomainIs(host, "sway.com")||
dnsDomainIs(host, "sway.office.com")||
dnsDomainIs(host, "swx.cdn.skype.com")||
dnsDomainIs(host, "tasks.office.com")||
dnsDomainIs(host, "tds.configure.office.com")||
dnsDomainIs(host, "teams.microsoft.com")||
dnsDomainIs(host, "technet.microsoft.com")||
dnsDomainIs(host, "telemetry.remoteapp.windowsazure.com")||
dnsDomainIs(host, "telemetryservice.firstpartyapps.oaspapps.com")||
dnsDomainIs(host, "templates.office.com")||
dnsDomainIs(host, "templateservice.office.com")||
dnsDomainIs(host, "testconnectivity.microsoft.com")||
dnsDomainIs(host, "tse1.mm.bing.net")||
dnsDomainIs(host, "uci.officeapps.live.com")||
dnsDomainIs(host, "vassg142.crl.omniroot.com")||
dnsDomainIs(host, "vassg142.ocsp.omniroot.com")||
dnsDomainIs(host, "video.osi.office.net")||
dnsDomainIs(host, "videocontent.osi.office.net")||
dnsDomainIs(host, "videoplayercdn.osi.office.net")||
dnsDomainIs(host, "vortex.data.microsoft.com")||
dnsDomainIs(host, "watson.microsoft.com")||
dnsDomainIs(host, "watson.telemetry.microsoft.com")||
dnsDomainIs(host, "web.localytics.com")||

dnsDomainIs(host, "webanalytics.localytics.com")||
dnsDomainIs(host, "webshell.suite.office.com")||
dnsDomainIs(host, "weu-000.forms.osi.office.net")||
dnsDomainIs(host, "weu-000.ocws.officeapps.live.com")||
dnsDomainIs(host, "weu-000.tasks.osi.office.net")||
dnsDomainIs(host, "weu-odc.officeapps.live.com")||
dnsDomainIs(host, "weu-roaming.officeapps.live.com")||
dnsDomainIs(host, "wikipedia.firstpartyapps.oaspapps.com")||
dnsDomainIs(host, "wordcs.officeapps.live.com")||
dnsDomainIs(host, "wu.client.hip.live.com")||
dnsDomainIs(host, "wus-000.forms.osi.office.net")||
dnsDomainIs(host, "wus-000.ocws.officeapps.live.com")||
dnsDomainIs(host, "wus-000.tasks.osi.office.net")||
dnsDomainIs(host, "wus-firstpartyapps.oaspapps.com")||
dnsDomainIs(host, "wus-odc.officeapps.live.com")||
dnsDomainIs(host, "wus-roaming.officeapps.live.com")||
dnsDomainIs(host, "wus-www.sway-cdn.com")||
dnsDomainIs(host, "wus-www.sway-extensions.com")||
dnsDomainIs(host, "www.bing.com")||
dnsDomainIs(host, "www.digicert.com")||
dnsDomainIs(host, "www.google-analytics.com")||
dnsDomainIs(host, "www.microsoft.com")||
dnsDomainIs(host, "www.office.com")||
dnsDomainIs(host, "www.onedrive.com")||
dnsDomainIs(host, "www.onenote.com")||
dnsDomainIs(host, "www.outlook.com")||
dnsDomainIs(host, "www.sway.com")||
dnsDomainIs(host, "xsi.outlook.com")||
shExpMatch(host, "zoom-cs-prod*.cloudapp.net")||
dnsDomainIs(host, "zoom-cs-prod*.cloudapp.net")||
dnsDomainIs(host, "office365.com")
)
return direct;
}

Steve Ianson · ‎Dec 27 2018

Hi,

The powershell script only returns urls (ignores all IPs) and only returns those urls marked as 'Allow' or 'Optimise'.

Many of the urls are excluded because they are marked as 'Default'. (e.g. '*.aadrm.com')

Also, the script only generates 'shExpMatch' lines for each url, so you don't have any of the 'isInNet' or 'dnsDomainIs' lines.

Regards

Steve

Paul Andrew · ‎Dec 27 2018

@gryonatan As Steve pointed out, these additional lines are not provided. You should not require any IP Address comparisons for a proxy server as they operate at the URL layer unless someone enters an IP Address in their web browser. We don't support IP Addresses for any endpoints in the Default category since they are all expected to be sent to a proxy server. We are working to provide simplified configuration and hope that you appreciate the shorter PAC file needs.

Regards,

Paul

gryonatan · ‎Dec 30 2018

@Paul Andrew, @Steve Ianson thank you for your comments.

if I understand correctly, the new version of the pac file should be enough to send all office365 requests bypassing our proxy?

including clients like outlook\teams etc? this means office products no longer require IsInNet in the pac?

Is dnsDomainIs also useless?

we also want to make sure all endpoint under the "default" category do not require authentication\cache\content filtering bypass like other categories...

ankit1990 · ‎Oct 18 2020

One question - Can I get a list of SMTP (Exchange Online) Server's IP address for India region? Our customer blocking IPs of our country and want a exact range of India region our traffic would be source from. Microsoft support team giving me Worldwide IPs to allow it. Does it make sense ? How our customer open the Door for all countries who uses the Office 365 Exchange Service. Please help me.

Steve Ianson · ‎Oct 18 2020

Hi, I don't think restricting to just India is going to be possible:

"The locations of Office 365 endpoints within the network are not directly related to the location of the Microsoft 365 tenant data. For this reason, customers should look at Microsoft 365 as a distributed and global service and should not attempt to block network connections to Office 365 endpoints based on geographical criteria."

From https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-network-connectivity-princip...

Paul Andrew · ‎Oct 18 2020

@ankit1990 It would help if you shared what the customer is trying to achieve by blocking IP Addresses for SMTP. As Steve points out there is no correlation between the IP Address assigned to a server and the origin of an email. SMTP email can get routed anywhere by providers.

Office 365 SMTP connections always come from IP Addresses identified in the Sender Protection Framework. Read about it at https://docs.microsoft.com/microsoft-365/security/office-365-security/how-office-365-uses-spf-to-pre...

SMTP sender IP Addresses are a subset of what is published at http://aka.ms/o365ip. Find specific SMTP source IP Addresses for Office 365 with this command on Windows: nslookup -type=TXT spf.protection.outlook.com

Paul

ankit1990 · ‎Oct 18 2020

Spoiler

@Paul Andrew @Steve Ianson Thanks for your response. Let me explain why they have blocked IP addresses restrictions for incoming emails. They have blacklisted IPs for all countries except US where they are to block all incoming emails from any country except US. We were using G suite but originally it was hosted on US region so there was no issue. since we migrate our service from G suite to Office 365 (Tenant Hosted in India) this issue started. Now they want a list of Exchange servers IP addresses range for India region and which URL provided by you and for SPF list of IPs is contained Worldwide IPs not for India Region only. Now they want to unblock India IPs only not for the Worldwide because if they do allow all then any Exchange Online users can send an email no matter from which country. And one more thing I have done to verify, Purchased another Tenant in US for testing purpose and send an email from India and it was delivered. That's why I am looking for only relevant list of IP addresses for India region.

Please let me know if you require any additional information.

Regards,

Ankit

Paul Andrew · ‎Oct 18 2020

@ankit1990 Do you have a hybrid Exchange configuration that includes on-premises Exchange servers or some other on-premises SMTP email server at your offices or your datacenter locations? If you do not, then any email delivered from a US address tenant to an India tenant will be delivered within Office 365 infrastructure and does not get sent outside of Microsoft's network. If you do have this, then you can filter SMTP email using your firewall but Microsoft does not provide a way to identify user or tenant locations by SMTP source IP Address.

SMTP blocking is not the right way to do mail filtering in Office 365, I'd recommend you read about Exchange Online Protection here https://docs.microsoft.com/microsoft-365/security/office-365-security/exchange-online-protection-ove...

Regards,
Paul

erlonryanolibiran · ‎Jul 21 2023

Thanks for this.

erlonryanolibiran · ‎Jul 21 2023

So useful

Products (50)

Special Topics (28)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Announcing: Office 365 endpoint categories and Office 365 IP Address and URL web service