Support tip: Upcoming Microsoft Intune network changes
12/18/25 Update - This post has been updated to include a new Azure Front Door (AFD) Connectivity Diagnostics Tool to help validate Intune network connectivity after firewall updates. We know many customers don’t always check their service change messages in the Microsoft 365 admin center or the corresponding Message Center content in the Microsoft Intune admin center, so in this blog post we’re highlighting an important upcoming change to Intune network service endpoints. Starting on or shortly after December 2, 2025, Intune will also use Azure Front Door IP addresses to improve security and simplify firewall management. If your organization uses outbound traffic policies based on IP addresses or service tags, you’ll want to review and update your firewall rules to avoid service disruptions. We’ll keep you updated if the timeline shifts. In the meantime, here’s the service change communication that posted to all Intune customers: MC1147982 - Action Required: Update firewall configurations to include new Intune network endpoints As part of Microsoft’s ongoing Secure Future Initiative (SFI), starting on or shortly after December 2, 2025, the network service endpoints for Microsoft Intune will also use Azure Front Door IP addresses. This improvement supports better alignment with modern security practices and over time will make it easier for organizations using multiple Microsoft products to manage and maintain their firewall configurations. As a result, customers may be required to add these network (firewall) configurations in third-party applications to enable proper function of Intune device and app management. This change will affect customers using a firewall allowlist that allows outbound traffic based on IP addresses or Azure service tags. Do not remove any existing network endpoints required for Microsoft Intune. Additional network endpoints are documented as part of the Azure Front Door and service tags information referenced in the files linked below: Public clouds: Download Azure IP Ranges and Service Tags – Public Cloud from Official Microsoft Download Center Government clouds: Download Azure IP Ranges and Service Tags – US Government Cloud from Official Microsoft Download Center The additional ranges are those listed in the JSON files linked above and can be found by searching for “AzureFrontDoor.MicrosoftSecurity”. How this will affect your organization If you have configured an outbound traffic policy for Intune IP address ranges or Azure service tags for your firewalls, routers, proxy servers, client-based firewalls, VPN or network security groups, you will need to update them to include the new Azure Front Door ranges with the “AzureFrontDoor.MicrosoftSecurity” tag. Intune requires internet access for devices under Intune management, whether for mobile device management or mobile application management. If your outbound traffic policy doesn’t include the new Azure Front Door IP address ranges, users may face login issues, devices might lose connectivity with Intune, and access to apps like the Intune Company Portal or those protected by app protection policies could be disrupted. What you need to do to prepare Ensure that your firewall rules are updated and added to your firewall’s allowlist with the additional IP addresses documented under Azure Front Door by December 2, 2025. Alternatively, you may add the service tag “AzureFrontDoor.MicrosoftSecurity” to your firewall rules to allow outbound traffic on port 443 for the addresses in the tag. If you are not the IT admin who can make this change, notify your networking team. If you are responsible for configuring internet traffic, refer to the following documentation for more details: Azure Front Door Azure service tags Intune network endpoints US government network endpoints for Intune If you have a helpdesk, inform them about this upcoming change. If you need additional assistance, contact Microsoft Intune Support and refer to this Message Center post. Note: The above post went to all customers in our public cloud. Customers in Microsoft Intune for US Government GCC High and DoD received the following post (the only difference is the focus on US government network endpoints): MC1147978 - Action Required: Update firewall configurations to include additional Intune network endpoints Note: The previously available PowerShell scripts for retrieving Microsoft Intune endpoint IP addresses and FQDNs no longer returns accurate data from the Office 365 Endpoint service. Instead, use the consolidated list provided in the Intune endpoints documentation. Using the original scripts or endpoint lists from the Office 365 Endpoint service is insufficient and may lead to incorrect configurations. For network best practices, make sure to check out the blog: Support tip: Aligning network policy with Intune and Zero Trust. New: Azure Front Door Connectivity Diagnostics Tool for Intune To help you validate or troubleshoot the recent Intune network changes, we’ve published a lightweight Azure Front Door (AFD) Connectivity Diagnostics Tool. The script tests DNS resolution, outbound TCP connectivity on ports 80 and 443, and HTTPS reachability to the AFD IP ranges used by Intune, directly from an Intune-managed device. This is useful for environments that rely on IP-based firewall, proxy, or VPN rules. Important: This script only tests Azure Front Door (AFD) endpoints. It does not validate connectivity to non-AFD Intune endpoints, including existing Intune IPs, service FQDNs, or related services such as Windows Notification Service (WNS) or Windows Autopilot. If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn. Post updates: 11/13/25: Added a note to use the consolidated list of Intune endpoints. 12/18/25: We’ve published a new Azure Front Door (AFD) Connectivity Diagnostics Tool to help validate and troubleshoot Intune connectivity after updating firewall rules.Support tip: Resolve device noncompliance with Mobile Threat Defense partner apps
Using a Mobile Threat Defense (MTD) solution, such as Microsoft Defender for Endpoint, with Microsoft Intune helps keep your organization’s resources protected and allows you to block devices that aren’t compliant with your organization’s policies. When an MTD detects a threat or determines that a device is noncompliant the device user will see one of two types of messages indicating: Install and activate partner app: The device needs the [MTD app] installed and activated to restore access to work or school resources. This message indicates that Intune hasn't received a signal from the [MTD app] the device, or the connection was lost. Resolve detected threats: The [MTD app] app identified one or more threats on the device. Open the [MTD app] and follow the guidance to resolve the threats before accessing work or school resources. In this blog, we’ll focus on troubleshooting and resolving the first scenario, where users will need to install and activate the MTD app. Note: For help resolving threats detected by the MTD app, open the partner app directly on the device for remediation guidance. Prerequisites Before you begin troubleshooting, confirm that: The user device is enrolled in Intune through the Company Portal app. The user has access to their work or school account credentials. The device has an active internet connection. Restore device compliance Have the user follow these steps to resolve the noncompliance issue and restore access to work or school resources. Step 1: Install and activate the partner app If the [MTD app] isn’t installed on the device: Open the Intune Company Portal app on the device. Go to Devices and select the device. Install the required [MTD app] shown in the noncompliance message. Open the [MTD app] and sign in with your work or school account. Complete any required setup or activation steps in the app. Wait up to 30 minutes for the device compliance status to update. If your device remains noncompliant after 30 minutes, continue to the next step. Step 2: Refresh the connection If the [MTD app] is already installed and the user is signed in, the connection between the app and Intune services may need to be refreshed: Open the [MTD app] on the device. Sign out of the work or school account. Sign back in with the same work or school account. Wait up to 30 minutes for the device compliance status to update. If the device remains noncompliant after 30 minutes, continue to the next step. Step 3: Reinstall the MTD app If refreshing the connection doesn't resolve the issue, reinstalling the app can restore the signal between services: Uninstall the [MTD app] from the device. Restart the device. Open the Company Portal app on the device. Reinstall the [MTD app]. Open the app and sign in with the work or school account. Complete any required setup or activation steps. Wait up to 30 minutes for the device compliance status to update. Check device compliance status Users can verify their device's compliance status at any time: Open the Company Portal app. Go to Devices. Select the device to view its current status. If the device shows as compliant, they can access work or school resources. If it shows as noncompliant and they’ve taken steps to resolve, wait a few more minutes and check again, as compliance status updates can take up to 30 minutes to appear in the Company Portal app. iOS/iPadOS: Enable simplified remediation for users Admins can configure a simplified remediation experience on iOS and iPadOS to help end‑users return to a compliant state more easily. This experience streamlines how users address Mobile Threat Defense (MTD)–related noncompliance and reduces the number of steps required to restore access. To enable this experience: Follow the guidance in Simplifying compliance remediation with Microsoft Intune and Defender on iOS/iPadOS to configure the updated remediation workflow for your organization. Once enabled, end‑users will see clearer guidance within the Microsoft Defender app when their device is marked noncompliant. The Defender app will direct users through the necessary remediation steps automatically - such as re‑authentication, resolving threat signals, or re‑establishing the MTD connection. After the guided process is complete, Defender will send updated device status to Intune so the device can return to a compliant state. This simplified flow reduces support overhead and increases user success resolving MTD‑related compliance issues on iOS/iPadOS. Android: Refresh the MTD connection when sign‑out is blocked If the user is on an Android device, first have them try signing out of the Mobile Threat Defense (MTD) app and signing back in. This often re‑establishes the connection and allows Intune to receive updated device status. If the option to sign out of the MTD app is blocked by IT policy, follow these steps to reset the app’s data instead: Long‑press the Defender app in the work profile. Tap ⓘ App info. Go to Storage & cache → Clear data (do not select Clear cache). Relaunch the Defender app - it will open to the welcome screen. Sign back in with the work or school account. Once signed back in, Defender will update Intune with the latest device data, and the device should return to a compliant state after Intune receives the refreshed signals. Related articles Mobile Threat Defense integration with Intune Using the Intune Company Portal website If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam! Post updates: 02/05/26: Added two new sections covering simplified user remediation on iOS/iPadOS and refreshing the MTD connection on Android when sign-out is blocked.Upcoming changes to iOS/iPadOS Company Portal app deployment for Setup Assistant with modern auth
Learn more about plans to remove automatic deployment of the iOS/iPadOS Company Portal app as a required app for Automated Device Enrollment (ADE) Setup Assistant with modern authentication enrollment profiles.Resolved - Support Tip: Occasionally occurring with iOS MAM and Office apps
We had a few cases on this recently and after investigation, decided to share this known issue that affects sign in on iOS Mobile Application Management (MAM, also known as APP). It does not impact the majority of users, but for the one that it does impact, it prompts for sign in when an Office app is opened. Office has a fix in their backlog; in the interim, read this post for a way to clear it up if you have a user running into this scenario.Support Tip: Known Issues with Intune policy reports
The Intune team is aware of several policy reporting scenarios that require additional consideration in the Microsoft Endpoint Manager admin center. In this post, we will address some of these issues and highlight some upcoming improvements to Intune policy reports.New Recovery Tool to help with CrowdStrike issue impacting Windows endpoints
Steps for how to access and use the new recovery tool Microsoft created - updated on July 31, July 23, July 22, and July 21. The tool provides two recovery options to expedite the repair process from the CrowdStrike issue impacting Windows endpoints. Please note this tool does not use Microsoft Intune, but we're sharing as a Support tip to help Windows customers.
