This reference article lists every endpoints used by Office 365. If your organization restricts computers on your network from connecting to the Internet, this article lists the endpoints (FQDNs, Ports, URLs, IPv4, and IPv6 address ranges) that you should include in your outbound allow lists to ensure your computers can successfully use Office 365. If you are using Office 365 operated by 21Vianet in China, see URLs and IP address ranges for Office 365 operated by 21Vianet.

This reference article lists the endpoints for Office 365. Filtering internet traffic requires advanced networking knowledge and isn’t suitable for all customers. Additional resources for planning your network connectivity include Office 365 network traffic management, Content delivery networks, Client connectivity, and Microsoft peering.

Warning   IP addresses filtering alone isn’t a complete solution due to dependencies on Content Delivery Networks (CDNs). The following are some of the reasons to use either FQDNs only or a combination of FQDNs and IP addresses:
  • Some clients such as the Office 365 admin portal or Outlook Web App won’t be able to authenticate without contacting CDNs.
  • CDN, CRL, and other partners don’t publish IP addresses.
  • New Office 365 infrastructure won’t become instantly available to client computers.
  • Some firewall providers and security policies don’t allow for wildcards.
  • Updates will be required as frequently as weekly.
  • Future non-web based clients may not be able to authenticate.
  • Future non-web based clients may not be able to authenticate.
  • There will be more emergency or retroactive updates.

Tip   If IP address filtering is your only option at the firewall, an automatic proxy configuration file can be used to route the destinations marked below as CDNs through an alternate path, such as through an outbound proxy. See Office 365 network traffic management for help with more complex routing configurations.

Most changes are made 14-30 days ahead of the endpoint being used. We understand that emergency changes with less notice are difficult to manage and strive to make these infrequently. If possible, use FQDN filtering instead of IP filtering to reduce the impact of emergency changes. Subscribe to the RSS feed to have notifications pushed to you. Here is how to subscribe via Outlook or you can have the RSS feed updates emailed to you. We also offer all updates via XML.

Some of our services do overlap with one another and you will notice the overlap or duplication in the lists of endpoints. There is also some domain name overlapping with our consumer services; while the root domain name is the same, Office 365 operates from a separate sub-domain. If you’re going to add IP addresses to your allow lists, keep in mind that IPv6 is optional and not required. We provide it here for customers who wish to use IPv6.

Office 365 portal and identity

The endpoints listed in this section are only to support the portal and identity portion of Office 365. You’ll want to add these along with the endpoints for each of the workloads you’re deploying on your network.

If you’re using Active Directory Federation Services (AD FS) with your deployment, you can also use AD FS client access policies with Windows Server 2012 R2 or client access policies with AD FS 2.0 and to further restrict and control access to Office 365.

Purpose Credentials Used Source Source Port Destination CDN Provider(s) Destination IP Destination Port
Required: Office 365 Portal and help content logged on user Client Computer Ephemeral ports Portal.Office.com

Home.Office.com

*.office365.com

*.office.com

*.office.net

See row three and four See tables below. TCP 80 & 443
Required: Authentication and support services logged on user Client Computer Ephemeral ports *.microsoftonline.com

*.microsoft.com

*.live.com

*.windows.net

See row three and four See tables below. TCP 80 & 443
Required: CDNs used for portal and authentication logged on user Client Computer Ephemeral ports *.microsoftonline-p.com

*.microsoftonline-p.net

*.microsoftonlineimages.com

*.msecnd.net

Microsoft IP addresses not provided TCP 80 & 443
Required: CDNs used for portal and authentication logged on user Client Computer Ephemeral ports *.msocdn.com Akamai IP addresses not provided TCP 80 & 443
Required: Default tenant namespace (mail routing, etc.) logged on user Client Computer TCP 80, 25, & 443 *.onmicrosoft.com Various See tables below. TCP 80, 25, & 443
Required: Global DNS load balancing services logged on user Client Computer TCP 80 & 443 *.glbdns.microsoft.com None IP addresses not provided TCP 80 & 443
Required: Microsoft Azure Active Directory logged on user Client Computer Ephemeral ports *.activedirectory.windowsazure.com None See tables below. TCP 80 & 443
Optional: Microsoft Azure Active Directory (MFA) logged on user Client Computer Ephemeral ports *.phonefactor.net None See tables below. TCP 80 & 443
Required: Certificate revocation lists logged on user Client Computer TCP 80 & 443 See well known certificate root CRLs in the table below. None IP addresses not provided TCP 80 & 443
Optional: Azure Rights Management logged on user Client Computer Ephemeral ports *.aadrm.com

*.azurerms.com

*.cloudapp.net

None IP addresses not provided TCP 80 & 443
Optional: Microsoft Azure Active Directory RemoteApp logged on user Client Computer Ephemeral ports dc.services.visualstudio.com

liverdcxstorage.blob.core.windowsazure.com

telemetry.remoteapp.windowsazure.com

vortex.data.microsoft.com

www.remoteapp.windowsazure.com

None IP addresses not provided TCP 443
Optional: DirSync (legacy) Machine^ and Service Account DirSync Server TCP 80 & 443 *.microsoftonline.com

*.windows.net

+Certificate Revocation Lists (see table below)

None See tables below. TCP 80 & 443
Optional: Azure AD Connect (recommended) Service Account Azure AD Connect Server TCP 80 & 443 *.microsoftonline.com

*.windows.net

+Certificate Revocation Lists (see table below)

None See tables below. TCP 80 & 443
Optional: Azure AD Connect (w/SSO option) – WinRM & remote powershell Service Account Client Computer TCP 80 & 443 Customer STS environment (AD FS Server and AD FS Proxy) None Customer environment TCP 80 & 443
Optional: STS such as AD FS Proxy server(s) (for federated customers only) None Client Computer TCP 443 or TCP 49443 w/ClientTLS Customer STS (such as AD FS Proxy) None Customer environment TCP 443 or TCP 49443 w/ClientTLS
Optional: AD FS Proxy server(s) (for federated customers only) None Customer AD FS Proxy (WAP) TCP 443 Customer AD FS Server (FS) None Customer environment TCP 443
Optional: Azure AD Connect Health Service Account Azure AD Connect Health Server TCP 443 management.azure.com

*.blob.core.windows.net

*.queue.core.windows.net

*.servicebus.windows.net – Port: 5671 (If 5671 is blocked, agent falls back to 443, but using 5671 is recommended.)

*.adhybridhealth.azure.com

*.table.core.windows.net

policykeyservice.dc.ad.msft.net

login.windows.net

login.microsoftonline.com

secure.aadcdn.microsoftonline-p.com

Microsoft IP addresses not provided TCP 443
Optional: Office 365 Management Pack for Operations Manager Machine^ Account Customer Operations Manager environment TCP 80 & 443 office365servicehealthcommunications.cloudapp.net None IP addresses not provided TCP 443

^Keep in mind that Machine accounts won’t work with proxies that require outbound authentication.

Portal and Identity IP ranges

Exchange Online

If you have licensed Exchange Online as a standalone or as part of a suite, you must be able to reach the following endpoints. Where there is a reference to another section such as the references to Office 365 portal and identity and Exchange Online Protection, you will need to ensure the endpoints listed in those tables are also included in your outbound allow lists.

Purpose Credentials Used Source Source Port Destination CDN Provider(s) Destination IP Destination Port
Required: Authentication See Office 365 portal and identity
Required: Portal See Office 365 portal and identity
Required: Exchange Online Protection See Exchange Online Protection (EOP)
Required: Client SMTP Relay Logged on user Client Computer Ephemeral ports smtp.office365.com None See table below. TCP 587
Required: Exchange Online Logged on user Client Computer Ephemeral ports outlook.office365.com

outlook.office.com

None See table below. TCP 80 & 443
Required: Exchange Online Logged on user Client Computer Ephemeral ports r1.res.office365.com Akamai IP addresses not provided TCP 80 & 443
Required: Exchange Online Logged on user Client Computer Ephemeral ports r3.res.office365.com Akamai IP addresses not provided TCP 80 & 443
Required: Exchange Online Logged on user Client Computer Ephemeral ports r4.res.office365.com Akamai IP addresses not provided TCP 80 & 443
Required: Exchange Online Logged on user Client Computer Ephemeral ports *.outlook.com None See table below. TCP 80 & 443
Required: Certificate revocation lists logged on user Client Computer TCP 80 & 443 See well known certificate root CRLs in the table below. None IP addresses not provided TCP 80 & 443
Optional: Exchange Hybrid Only Machine account^ Existing Exchange Client Access Servers and Mailbox Servers TCP 80 & 443 outlook.office365.com

outlook.office.com

None See table below. TCP 80 & 443
Optional: Exchange Hybrid Co-existence N/A Exchange Online IPs (See table below.) Dynamic Customer on-premise Exchange None Customer IP TCP 443
Optional: Exchange Proxy Authentication N/A Exchange Online IPs (See table below.) Dynamic Customer on-premise STS None Customer IP TCP 443
Optional: Exchange Hybrid Configuration Wizard N/A Existing Exchange service Ephemeral ports hybridconfiguration.azurewebsites.net

*.hybridconfiguration.azurewebsites.net

*.Blob.core.Windows.Net

None IP addresses included in portal and identity section TCP 443
Optional: Exchange 2010 SP3 Hybrid Configuration Wizard N/A Existing Exchange service Ephemeral ports Domains.live.com None See table below. TCP 443
Optional: Exchange Online IMAP4 migration N/A IMAP4 Service TCP 143/993 outlook.office365.com

outlook.office.com

None See table below. TCP 143/993
Optional: Exchange Online POP3 migration N/A POP3 Service TCP 995 outlook.office365.com

outlook.office.com

None See table below. TCP 995
Optional: All other Exchange Online migration tools N/A Existing Exchange service (EWS or MRS) TCP 80 & 443 outlook.office365.com

outlook.office.com

None See table below. TCP 80 & 443

^Keep in mind that Machine accounts won’t work with proxies that require outbound authentication.

Exchange Online IP ranges

Skype for Business Online

If you have licensed Skype for Business Online as a standalone or as part of a suite, you must be able to reach the Office 365 portal and identity URLs as well as the Skype for Business Online URLs or IP addresses. It’s also important to ensure you are able to reach the certificate root authorities as all Skype for Business Online communications are protected, you’ll find a partial list of possible root authorities client computers will need to be able to access.

Purpose Credentials Used Source Source Port Destination CDN Provider(s) Destination IP Destination Port
Required: Authentication See Office 365 portal and identity
Required: Portal See Office 365 portal and identity
Required: SIP signaling Logged on user Client Computer Ephemeral ports *.Lync.com None See table below. TCP 443
Required: Persistent Shared Object Model (PSOM) connections web conferencing Logged on user Client Computer Ephemeral ports *.Lync.com None See table below. TCP 443
Required: HTTPS downloads Logged on user Client Computer Ephemeral ports *.Lync.com None See table below. TCP 443
Required: Audio Logged on user Client Computer TCP/UDP 50,000-50019 *.Lync.com None See table below. TCP 443, UDP 3478, TCP/UDP 50,000-59,999
Required: Video Logged on user Client Computer TCP/UDP 50,020-50039 *.Lync.com None See table below. TCP 443, UDP 3478, TCP/UDP 50,000-59,999
Required: Desktop sharing Logged on user Client Computer TCP/UDP 50,040-50059 *.Lync.com None See table below. TCP 443, TCP 50,000-59,999
Required: Lync Mobile push notifications for Lync Mobile 2010 on iOS devices. You don’t need this for Android, Nokia Symbian or Windows Phone mobile devices. Logged on user Client Computer Ephemeral ports *.Lync.com None See table below. TCP 5223
Required: Certificate revocation lists logged on user Client Computer TCP 80 & 443 See well known certificate root CRLs in the table below. None IP addresses not provided TCP 80 & 443

Skype for Business IP ranges

SharePoint Online

If you have licensed SharePoint Online as a standalone or as part of a suite, you must be able to reach the Office 365 portal and identity URLs as well as the SharePoint Online URLs or IP addresses.

This list also applies to many of the new applications that are dependent on SharePoint Online, such as Power BI, Project Online, Delve, and Office 365 Video. The Yammer endpoints are listed separately.

Purpose Credentials Used Source Source Port Add to IE Trusted Site? Destination CDN Provider(s) Destination IP Destination Port
Required: Authentication See Office 365 portal and identity
Required: Portal See Office 365 portal and identity
Required: SharePoint Online and associated applications Logged on user Client Computer Ephemeral ports No *.sharepoint.com None See table below. TCP 80 & 443
Required: SharePoint Online Explorer View

Note   Adding these two FQDNs to the IE Trusted Sites zone is required for Explorer View to function, other Office 365 services may not function with these FQDNs in the IE Trusted Sites zone.

Logged on user Client Computer Ephemeral ports Yes .sharepoint.com

-my.sharepoint.com

None See table below. TCP 80 & 443
Required: CDNs for SharePoint Online and associated applications logged on user Client Computer Ephemeral ports No *.sharepointonline.com

Cdn.sharepointonline.com

Static.sharepointonline.com

Prod.msocdn.com

Microsoft & Akamai IP addresses not provided TCP 80 & 443
Required: SharePoint Online inbound mail Logged on user See table below. TCP 25 No Customer environment None Customer environment TCP 25
Required: Certificate revocation lists logged on user Client Computer TCP 80 & 443 No See well known certificate root CRLs in the table below. None IP addresses not provided TCP 80 & 443
Optional: Required for Office 365 Video logged on user Client Computer Ephemeral ports No *.streaming.mediaservices.windows.net

*.keydelivery.mediaservices.windows.net

Azure Media Services IP addresses not provided TCP 443
Optional: Required for Office 365 Video logged on user Client Computer Ephemeral ports No ajax.aspnetcdn.com Azure Media Services IP addresses not provided TCP 443
Optional: Required for Office 365 Video Logged on user Client Computer Ephemeral ports No r3.res.outlook.com Akamai IP addresses not provided TCP 443
Optional: Required for Office 365 Video logged on user Client Computer Ephemeral ports No Spoprod-a.akamaihd.net Akamai IP addresses not provided TCP 443
Optional: Required for OneDrive for Business logged on user Client Computer Ephemeral ports No Spoprod-a.akamaihd.net Akamai IP addresses not provided TCP 443
Optional: Required for OneNote notebooks Logged on user OneNote Ephemeral ports No *.onenote.com None See table below. TCP 443
Optional: Required for OneNote notebooks Logged on user OneNote Ephemeral ports No cdn.onenote.net Akamai IP addresses not provided TCP 443
Optional: Required for Delve Logged on user Client Computer Ephemeral ports No r3.res.outlook.com Akamai IP addresses not provided TCP 443

SharePoint Online IP Ranges

Exchange Online Protection (EOP)

If you have licensed Exchange Online Protection (EOP) as a standalone or as part of a suite, you must be able to reach the Office 365 portal and identity URLs as well as the EOP IP addresses.

Purpose Credentials Used Source Source Port Destination CDN Provider(s) Destination IP Destination Port
Required: EOP Logged on user Client Computer TCP 80 & 443 *.protection.outlook.com None See Exchange Online Protection IP Addresses TCP 80 & 443
Required: Send email N/A Existing email environment TCP 25 *.mail.protection.outlook.com None See Exchange Online Protection IP Addresses TCP 25
Required: Receive email N/A See Exchange Online Protection IP Addresses TCP 25 Existing email environment None See Exchange Online Protection IP Addresses TCP 25

(Back to top | Skype for Business Online | Exchange Online | SharePoint Online | Office 365 portal and identity | Office 365 ProPlus | Office Online | Yammer | Sway | Planner)

Office 365 remote analyzer tools

This list of IPv4 IP addresses is the current list required for the Office 365 remote analyzer tools.

Purpose Credentials Used Source Source Port Destination CDN Provider(s) Destination IP Destination Port
Required: Initiate connectivity tests. Logged on user Web browse Ephemeral ports testconnectivity.microsoft.com

testexchangeconnectivity.com

None See table below. TCP 80 & 443
Required: Captcha & support services Logged on user Web browse Ephemeral ports client.hip.live.com

wu.client.hip.live.com

support.microsoft.com

None IP addresses not provided TCP 80 & 443
Required: Execution of the tests selected by the customer. Provided by customer on the testconnectivity website testconnectivity.microsoft.com Ephemeral ports On-premises systems for email and collaboration. None Customer IP ranges 80, 443, 25, POP3 on (110, 995, or Custom), IMAP4 on (143, 993, or Custom)
Required: Certificate revocation lists logged on user Client Computer TCP 80 & 443 See well known certificate root CRLs in the table below. None IP addresses not provided TCP 80 & 443

Remote Analyzer IP Ranges

Yammer

This list of URLs and IPv4 IP subnet is the current list required for Yammer.

Purpose Credentials Used Source Source Port Destination CDN Provider(s) Destination IP Destination Port
Required: Authentication See Office 365 portal and identity
Required: Portal See Office 365 portal and identity
Required: Yammer Logged on user Client Computer Ephemeral ports *.assets-yammer.com

*.yammer.com

*.yammerusercontent.com

None See table below. TCP 80 & 443
Required: Certificate revocation lists logged on user Client Computer Ephemeral ports See well known certificate root CRLs in the table below. None IP addresses not provided TCP 80 & 443
Optional: Document, video, & image storage/rendering Logged on user Client Computer Ephemeral ports ajax.googleapis.com

*.cloudfront.net

None IP addresses not provided TCP 443

Yammer IP Ranges

Office 365 ProPlus

Here is the current list of endpoints PCs and Macs need to be able to access to use Office 365 ProPlus. If you’re interested in bypassing the CDN for your deployment, you can build an internal installation point.

Purpose Credentials Used Source Source Port Destination CDN Provider(s) Destination IP Destination Port
Required: This url is needed to renew the product key approximately every 30 days Local system Office client only Ephemeral ports activation.sls.microsoft.com None See table below. TCP 443
Required: This URL is required to validate certificates during activation Local system Office client only Ephemeral ports crl.microsoft.com None IP addresses not provided. TCP 80 & 443
Required: Required for identity and configuration services Local system Office client only Ephemeral ports odc.officeapps.live.com

clientconfig.microsoftonline-p.net

Microsoft & Akamai See table below. CDN IP addresses not provided. TCP 443
Required: This URL is the Office Licensing Service, which is used during activation and subscription maintenance Local system Office client only Ephemeral ports ols.officeapps.live.com Microsoft & Akamai See table below. CDN IP addresses not provided. TCP 443
Required: Required for redirection services during initial Office activation and Office license heartbeat. Local system Office client only TCP 80 & 443 office15client.microsoft.com Microsoft & Akamai See table below. CDN IP addresses not provided. TCP 443
Required: Required to authenticate the users identity (Org Id) during initial Office entitlement check. After initial activation, not used unless re-entitlement check is required. Logged on user Office client only Ephemeral ports login.windows.net

login.microsoftonline.com

See Office 365 portal and identity
Required: Contains Office 365 ProPlus source media used for installation and/or updates. If automatic updates are configured in the default settings, the local system account is used when downloading updates. Logged on user Office client only Ephemeral ports officecdn.microsoft.com Microsoft & Akamai IP addresses not provided TCP 80
Required: This URL is used to redirect to web content such as online help and error code information. Logged on user Office client only Ephemeral ports go.microsoft.com Microsoft & Akamai IP addresses not provided TCP 80

Office 365 ProPlus IP Ranges

Office Online

This list of IP addresses is the current list required for Office Web Apps. MTE102837806 does not have additional URLs beyond those included in the portal and identity section.

Purpose Credentials Used Source Source Port Destination CDN Provider(s) Destination IP Destination Port
Required: Authentication See Office 365 portal and identity
Required: Portal See Office 365 portal and identity
Required: Office Online Logged on user Client Computer Ephemeral ports *.officeapps.live.com None See table below. TCP 443
Required: Content Delivery Network for Office Web Apps Logged on user Client Computer Ephemeral ports *.cdn.office.net Akamai IP addresses not provided TCP 443
Required: Certificate revocation lists logged on user Client Computer Ephemeral ports See well known certificate root CRLs in the table below. None IP addresses not provided TCP 80 & 443

Office Online IP Ranges

Sway

This list of URLs and IPv4 IP subnet is the current list required for Sway.

Purpose Credentials Used Source Source Port Add to IE Trusted Site? Destination CDN Provider(s) Destination IP Destination Port
Required: Authentication See Office 365 portal and identity
Required: Portal See Office 365 portal and identity
Required: Sway Logged on user Client Computer Ephemeral ports No sway.com

www.sway.com

eus-www.sway.com

eus-000.www.sway.com

eus-001.www.sway.com

eus-002.www.sway.com

eus-003.www.sway.com

eus-004.www.sway.com

eus-005.www.sway.com

eus-006.www.sway.com

eus-007.www.sway.com

eus-008.www.sway.com

eus-009.www.sway.com

eus-00a.www.sway.com

eus-00b.www.sway.com

eus-00c.www.sway.com

eus-00d.www.sway.com

eus-00e.www.sway.com

wus-www.sway.com

wus-000.www.sway.com

wus-001.www.sway.com

wus-002.www.sway.com

wus-003.www.sway.com

wus-004.www.sway.com

wus-005.www.sway.com

wus-006.www.sway.com

wus-007.www.sway.com

wus-008.www.sway.com

wus-009.www.sway.com

wus-00a.www.sway.com

wus-00b.www.sway.com

wus-00c.www.sway.com

wus-00d.www.sway.com

wus-00e.www.sway.com

None See table below TCP 443
Required: Sway logged on user Client Computer Ephemeral ports No eus-www.sway-cdn.com

wus-www.sway-cdn.com

eus-www.sway-extensions.com

wus-www.sway-extensions.com

Akamai IP addresses not provided TCP 443
Optional: Sway website analytics Logged on user Client Computer Ephemeral ports No c.microsoft.com c1.microsoft.com

prod.msocdn.com

www.google-analytics.com

None IP addresses not provided TCP 443
Optional: Sway third party content Logged on user Client Computer Ephemeral ports No Access to third party content such as Bing, Flickr, and so on. None IP addresses not provided TCP 443

Sway IP Ranges

Planner

This list of URLs and IPv4 IP subnet is the current list required for Planner.

Purpose Source / Credentials Source Port Destination CDN Provider(s) Destination IP Destination Port
Required: Authentication See Office 365 portal and identity
Required: Portal See Office 365 portal and identity
Required: Planner Browser/ authenticated user Ephemeral ports tasks.office.com

controls.office.com

cus-000.tasks.osi.office.net

ea-000.tasks.osi.office.net

eus-zzz.tasks.osi.office.net

neu-000.tasks.osi.office.net

sea-000.tasks.osi.office.net

weu-000.tasks.osi.office.net

wus-000.tasks.osi.office.net

www.outlook.com

outlook.office365.com

clientlog.portal.office.com

None See table below. TCP 443
Required: Planner CDNs Browser/ authenticated user Ephemeral ports ajax.aspnetcdn.com

prod.msocdn.com

Akamai IP addresses not provided TCP 443
Required: Certificate revocation lists Browser/ authenticated user Ephemeral ports See well known certificate root CRLs in the table below. None IP addresses not provided TCP 80 & 443

Planner IP Ranges

Office for iPad

This is the current list of Office for iPad URLs. If you’re using allow lists to filter iPad connectivity differently than other computers on your network, you can use just this list of URLs to create those allow lists.

Office for iPad URLs
directory.services.live.com
odc.officeapps.live.com
docs.live.net
roaming.officeapps.live.com
nexus.officeapps.live.com
sqm.microsoft.com
watson.telemetry.microsoft.com
login.live.com
wer.microsoft.com         
microsoft-my.sharepoint.com
login.microsoftonline.com
ms.tific.com
msft.sts.microsoft.com
p100-sandbox.itunes.apple.com
signup.live.com
auth.gfx.ms
view.atdmt.com
client.hip.live.com
dc2.client.hip.live.com
c.live.com
go.microsoft.com
office.microsoft.com
officeimg.vo.msecnd.net
m.webtrends.com
account.live.com
c.bing.com
partnerservices.getmicrosoftkey.com
client.hip.live.com
clientconfig.microsoftonline-p.net
cl2.apple.com
sas.office.microsoft.com
foodanddrink.services.appex.bing.com
en-US.appex-rf.msn.com
weather.tile.appex.bing.com

Office Mobile

This is the current list of Office Mobile URLs. Office Mobile runs on Android devices, Windows Phones, and iPhones. If you’re filtering your mobile connectivity differently than other computers on your network, you can use just this list of URLs to create those allow lists.

Office Mobile URLs
office15client.microsoft.com
odc.officeapps.live.com
go.microsoft.com
login.microsoftonline.com
msft.sts.microsoft.com
odcsm.officeapps.live.com
microsoft-my.sharepoint.com
ms.tific.com
roaming.officeapps.live.com
o15.officeredir.microsoft.com
office.microsoft.com
officeimg.vo.msecnd.net
m.webtrends.com
d.docs.live.net
login.live.com
auth.gfx.ms
wer.microsoft.com
*.appex.bing.com
*.appex-rf.msn.com
appexsin.stb.s-msn.com