AVC - DNS-AS for Cloud Apps

This reference article lists every endpoints used by Office 365. If your organization restricts computers on your network from connecting to the Internet, this article lists the endpoints (FQDNs, Ports, URLs, IPv4, and IPv6 address ranges) that you should include in your outbound allow lists to ensure your computers can successfully use Office 365. If you are using Office 365 operated by 21Vianet in China, see URLs and IP address ranges for Office 365 operated by 21Vianet.

This reference article lists the endpoints for Office 365. Filtering internet traffic requires advanced networking knowledge and isn’t suitable for all customers. Additional resources for planning your network connectivity include Office 365 network traffic management, Content delivery networks, Client connectivity, and Microsoft peering.

Warning IP addresses filtering alone isn’t a complete solution due to dependencies on Content Delivery Networks (CDNs). The following are some of the reasons to use either FQDNs only or a combination of FQDNs and IP addresses:

Some clients such as the Office 365 admin portal or Outlook Web App won’t be able to authenticate without contacting CDNs.
CDN, CRL, and other partners don’t publish IP addresses.
New Office 365 infrastructure won’t become instantly available to client computers.
Some firewall providers and security policies don’t allow for wildcards.

Updates will be required as frequently as weekly.
Future non-web based clients may not be able to authenticate.
Future non-web based clients may not be able to authenticate.
There will be more emergency or retroactive updates.

Tip If IP address filtering is your only option at the firewall, an automatic proxy configuration file can be used to route the destinations marked below as CDNs through an alternate path, such as through an outbound proxy. See Office 365 network traffic management for help with more complex routing configurations.

Most changes are made 14-30 days ahead of the endpoint being used. We understand that emergency changes with less notice are difficult to manage and strive to make these infrequently. If possible, use FQDN filtering instead of IP filtering to reduce the impact of emergency changes. Subscribe to the RSS feed to have notifications pushed to you. Here is how to subscribe via Outlook or you can have the RSS feed updates emailed to you. We also offer all updates via XML.

Some of our services do overlap with one another and you will notice the overlap or duplication in the lists of endpoints. There is also some domain name overlapping with our consumer services; while the root domain name is the same, Office 365 operates from a separate sub-domain. If you’re going to add IP addresses to your allow lists, keep in mind that IPv6 is optional and not required. We provide it here for customers who wish to use IPv6.

Office 365 portal and identity

The endpoints listed in this section are only to support the portal and identity portion of Office 365. You’ll want to add these along with the endpoints for each of the workloads you’re deploying on your network.

If you’re using Active Directory Federation Services (AD FS) with your deployment, you can also use AD FS client access policies with Windows Server 2012 R2 or client access policies with AD FS 2.0 and to further restrict and control access to Office 365.

Purpose	Credentials Used	Source	Source Port	Destination	CDN Provider(s)	Destination IP	Destination Port
Required: Office 365 Portal and help content	logged on user	Client Computer	Ephemeral ports	Portal.Office.com Home.Office.com .office365.com .office.com *.office.net	See row three and four	See tables below.	TCP 80 & 443
Required: Authentication and support services	logged on user	Client Computer	Ephemeral ports	.microsoftonline.com .microsoft.com .live.com .windows.net	See row three and four	See tables below.	TCP 80 & 443
Required: CDNs used for portal and authentication	logged on user	Client Computer	Ephemeral ports	.microsoftonline-p.com .microsoftonline-p.net .microsoftonlineimages.com .msecnd.net	Microsoft	IP addresses not provided	TCP 80 & 443
Required: CDNs used for portal and authentication	logged on user	Client Computer	Ephemeral ports	*.msocdn.com	Akamai	IP addresses not provided	TCP 80 & 443
Required: Default tenant namespace (mail routing, etc.)	logged on user	Client Computer	TCP 80, 25, & 443	*.onmicrosoft.com	Various	See tables below.	TCP 80, 25, & 443
Required: Global DNS load balancing services	logged on user	Client Computer	TCP 80 & 443	*.glbdns.microsoft.com	None	IP addresses not provided	TCP 80 & 443
Required: Microsoft Azure Active Directory	logged on user	Client Computer	Ephemeral ports	*.activedirectory.windowsazure.com	None	See tables below.	TCP 80 & 443
Optional: Microsoft Azure Active Directory (MFA)	logged on user	Client Computer	Ephemeral ports	*.phonefactor.net	None	See tables below.	TCP 80 & 443
Required: Certificate revocation lists	logged on user	Client Computer	TCP 80 & 443	See well known certificate root CRLs in the table below.	None	IP addresses not provided	TCP 80 & 443
Optional: Azure Rights Management	logged on user	Client Computer	Ephemeral ports	.aadrm.com .azurerms.com *.cloudapp.net	None	IP addresses not provided	TCP 80 & 443
Optional: Microsoft Azure Active Directory RemoteApp	logged on user	Client Computer	Ephemeral ports	dc.services.visualstudio.com liverdcxstorage.blob.core.windowsazure.com telemetry.remoteapp.windowsazure.com vortex.data.microsoft.com www.remoteapp.windowsazure.com	None	IP addresses not provided	TCP 443
Optional: DirSync (legacy)	Machine^ and Service Account	DirSync Server	TCP 80 & 443	.microsoftonline.com .windows.net +Certificate Revocation Lists (see table below)	None	See tables below.	TCP 80 & 443
Optional: Azure AD Connect (recommended)	Service Account	Azure AD Connect Server	TCP 80 & 443	.microsoftonline.com .windows.net +Certificate Revocation Lists (see table below)	None	See tables below.	TCP 80 & 443
Optional: Azure AD Connect (w/SSO option) – WinRM & remote powershell	Service Account	Client Computer	TCP 80 & 443	Customer STS environment (AD FS Server and AD FS Proxy)	None	Customer environment	TCP 80 & 443
Optional: STS such as AD FS Proxy server(s) (for federated customers only)	None	Client Computer	TCP 443 or TCP 49443 w/ClientTLS	Customer STS (such as AD FS Proxy)	None	Customer environment	TCP 443 or TCP 49443 w/ClientTLS
Optional: AD FS Proxy server(s) (for federated customers only)	None	Customer AD FS Proxy (WAP)	TCP 443	Customer AD FS Server (FS)	None	Customer environment	TCP 443
Optional: Azure AD Connect Health	Service Account	Azure AD Connect Health Server	TCP 443	management.azure.com .blob.core.windows.net .queue.core.windows.net .servicebus.windows.net – Port: 5671 (If 5671 is blocked, agent falls back to 443, but using 5671 is recommended.)* .adhybridhealth.azure.com .table.core.windows.net policykeyservice.dc.ad.msft.net login.windows.net login.microsoftonline.com secure.aadcdn.microsoftonline-p.com	Microsoft	IP addresses not provided	TCP 443
Optional: Office 365 Management Pack for Operations Manager	Machine^ Account	Customer Operations Manager environment	TCP 80 & 443	office365servicehealthcommunications.cloudapp.net	None	IP addresses not provided	TCP 443

^Keep in mind that Machine accounts won’t work with proxies that require outbound authentication.

Portal and Identity IP ranges

Exchange Online

If you have licensed Exchange Online as a standalone or as part of a suite, you must be able to reach the following endpoints. Where there is a reference to another section such as the references to Office 365 portal and identity and Exchange Online Protection, you will need to ensure the endpoints listed in those tables are also included in your outbound allow lists.

Purpose	Credentials Used	Source	Source Port	Destination	CDN Provider(s)	Destination IP	Destination Port
Required: Authentication	See Office 365 portal and identity
Required: Portal	See Office 365 portal and identity
Required: Exchange Online Protection	See Exchange Online Protection (EOP)
Required: Client SMTP Relay	Logged on user	Client Computer	Ephemeral ports	smtp.office365.com	None	See table below.	TCP 587
Required: Exchange Online	Logged on user	Client Computer	Ephemeral ports	outlook.office365.com outlook.office.com	None	See table below.	TCP 80 & 443
Required: Exchange Online	Logged on user	Client Computer	Ephemeral ports	r1.res.office365.com	Akamai	IP addresses not provided	TCP 80 & 443
Required: Exchange Online	Logged on user	Client Computer	Ephemeral ports	r3.res.office365.com	Akamai	IP addresses not provided	TCP 80 & 443
Required: Exchange Online	Logged on user	Client Computer	Ephemeral ports	r4.res.office365.com	Akamai	IP addresses not provided	TCP 80 & 443
Required: Exchange Online	Logged on user	Client Computer	Ephemeral ports	*.outlook.com	None	See table below.	TCP 80 & 443
Required: Certificate revocation lists	logged on user	Client Computer	TCP 80 & 443	See well known certificate root CRLs in the table below.	None	IP addresses not provided	TCP 80 & 443
Optional: Exchange Hybrid Only	Machine account^	Existing Exchange Client Access Servers and Mailbox Servers	TCP 80 & 443	outlook.office365.com outlook.office.com	None	See table below.	TCP 80 & 443
Optional: Exchange Hybrid Co-existence	N/A	Exchange Online IPs (See table below.)	Dynamic	Customer on-premise Exchange	None	Customer IP	TCP 443
Optional: Exchange Proxy Authentication	N/A	Exchange Online IPs (See table below.)	Dynamic	Customer on-premise STS	None	Customer IP	TCP 443
Optional: Exchange Hybrid Configuration Wizard	N/A	Existing Exchange service	Ephemeral ports	hybridconfiguration.azurewebsites.net .hybridconfiguration.azurewebsites.net .Blob.core.Windows.Net	None	IP addresses included in portal and identity section	TCP 443
Optional: Exchange 2010 SP3 Hybrid Configuration Wizard	N/A	Existing Exchange service	Ephemeral ports	Domains.live.com	None	See table below.	TCP 443
Optional: Exchange Online IMAP4 migration	N/A	IMAP4 Service	TCP 143/993	outlook.office365.com outlook.office.com	None	See table below.	TCP 143/993
Optional: Exchange Online POP3 migration	N/A	POP3 Service	TCP 995	outlook.office365.com outlook.office.com	None	See table below.	TCP 995
Optional: All other Exchange Online migration tools	N/A	Existing Exchange service (EWS or MRS)	TCP 80 & 443	outlook.office365.com outlook.office.com	None	See table below.	TCP 80 & 443

^Keep in mind that Machine accounts won’t work with proxies that require outbound authentication.

Exchange Online IP ranges

Skype for Business Online

If you have licensed Skype for Business Online as a standalone or as part of a suite, you must be able to reach the Office 365 portal and identity URLs as well as the Skype for Business Online URLs or IP addresses. It’s also important to ensure you are able to reach the certificate root authorities as all Skype for Business Online communications are protected, you’ll find a partial list of possible root authorities client computers will need to be able to access.

Purpose	Credentials Used	Source	Source Port	Destination	CDN Provider(s)	Destination IP	Destination Port
Required: Authentication	See Office 365 portal and identity
Required: Portal	See Office 365 portal and identity
Required: SIP signaling	Logged on user	Client Computer	Ephemeral ports	*.Lync.com	None	See table below.	TCP 443
Required: Persistent Shared Object Model (PSOM) connections web conferencing	Logged on user	Client Computer	Ephemeral ports	*.Lync.com	None	See table below.	TCP 443
Required: HTTPS downloads	Logged on user	Client Computer	Ephemeral ports	*.Lync.com	None	See table below.	TCP 443
Required: Audio	Logged on user	Client Computer	TCP/UDP 50,000-50019	*.Lync.com	None	See table below.	TCP 443, UDP 3478, TCP/UDP 50,000-59,999
Required: Video	Logged on user	Client Computer	TCP/UDP 50,020-50039	*.Lync.com	None	See table below.	TCP 443, UDP 3478, TCP/UDP 50,000-59,999
Required: Desktop sharing	Logged on user	Client Computer	TCP/UDP 50,040-50059	*.Lync.com	None	See table below.	TCP 443, TCP 50,000-59,999
Required: Lync Mobile push notifications for Lync Mobile 2010 on iOS devices. You don’t need this for Android, Nokia Symbian or Windows Phone mobile devices.	Logged on user	Client Computer	Ephemeral ports	*.Lync.com	None	See table below.	TCP 5223
Required: Certificate revocation lists	logged on user	Client Computer	TCP 80 & 443	See well known certificate root CRLs in the table below.	None	IP addresses not provided	TCP 80 & 443

Skype for Business IP ranges

SharePoint Online

If you have licensed SharePoint Online as a standalone or as part of a suite, you must be able to reach the Office 365 portal and identity URLs as well as the SharePoint Online URLs or IP addresses.

This list also applies to many of the new applications that are dependent on SharePoint Online, such as Power BI, Project Online, Delve, and Office 365 Video. The Yammer endpoints are listed separately.

Purpose	Credentials Used	Source	Source Port	Add to IE Trusted Site?	Destination	CDN Provider(s)	Destination IP	Destination Port
Required: Authentication	See Office 365 portal and identity
Required: Portal	See Office 365 portal and identity
Required: SharePoint Online and associated applications	Logged on user	Client Computer	Ephemeral ports	No	*.sharepoint.com	None	See table below.	TCP 80 & 443
Required: SharePoint Online Explorer View Note Adding these two FQDNs to the IE Trusted Sites zone is required for Explorer View to function, other Office 365 services may not function with these FQDNs in the IE Trusted Sites zone.	Logged on user	Client Computer	Ephemeral ports	Yes	.sharepoint.com -my.sharepoint.com	None	See table below.	TCP 80 & 443
Required: CDNs for SharePoint Online and associated applications	logged on user	Client Computer	Ephemeral ports	No	*.sharepointonline.com Cdn.sharepointonline.com Static.sharepointonline.com Prod.msocdn.com	Microsoft & Akamai	IP addresses not provided	TCP 80 & 443
Required: SharePoint Online inbound mail	Logged on user	See table below.	TCP 25	No	Customer environment	None	Customer environment	TCP 25
Required: Certificate revocation lists	logged on user	Client Computer	TCP 80 & 443	No	See well known certificate root CRLs in the table below.	None	IP addresses not provided	TCP 80 & 443
Optional: Required for Office 365 Video	logged on user	Client Computer	Ephemeral ports	No	.streaming.mediaservices.windows.net .keydelivery.mediaservices.windows.net	Azure Media Services	IP addresses not provided	TCP 443
Optional: Required for Office 365 Video	logged on user	Client Computer	Ephemeral ports	No	ajax.aspnetcdn.com	Azure Media Services	IP addresses not provided	TCP 443
Optional: Required for Office 365 Video	Logged on user	Client Computer	Ephemeral ports	No	r3.res.outlook.com	Akamai	IP addresses not provided	TCP 443
Optional: Required for Office 365 Video	logged on user	Client Computer	Ephemeral ports	No	Spoprod-a.akamaihd.net	Akamai	IP addresses not provided	TCP 443
Optional: Required for OneDrive for Business	logged on user	Client Computer	Ephemeral ports	No	Spoprod-a.akamaihd.net	Akamai	IP addresses not provided	TCP 443
Optional: Required for OneNote notebooks	Logged on user	OneNote	Ephemeral ports	No	*.onenote.com	None	See table below.	TCP 443
Optional: Required for OneNote notebooks	Logged on user	OneNote	Ephemeral ports	No	cdn.onenote.net	Akamai	IP addresses not provided	TCP 443
Optional: Required for Delve	Logged on user	Client Computer	Ephemeral ports	No	r3.res.outlook.com	Akamai	IP addresses not provided	TCP 443

SharePoint Online IP Ranges

Exchange Online Protection (EOP)

If you have licensed Exchange Online Protection (EOP) as a standalone or as part of a suite, you must be able to reach the Office 365 portal and identity URLs as well as the EOP IP addresses.

Purpose	Credentials Used	Source	Source Port	Destination	CDN Provider(s)	Destination IP	Destination Port
Required: EOP	Logged on user	Client Computer	TCP 80 & 443	*.protection.outlook.com	None	See Exchange Online Protection IP Addresses	TCP 80 & 443
Required: Send email	N/A	Existing email environment	TCP 25	*.mail.protection.outlook.com	None	See Exchange Online Protection IP Addresses	TCP 25
Required: Receive email	N/A	See Exchange Online Protection IP Addresses	TCP 25	Existing email environment	None	See Exchange Online Protection IP Addresses	TCP 25

Office 365 remote analyzer tools

This list of IPv4 IP addresses is the current list required for the Office 365 remote analyzer tools.

Purpose	Credentials Used	Source	Source Port	Destination	CDN Provider(s)	Destination IP	Destination Port
Required: Initiate connectivity tests.	Logged on user	Web browse	Ephemeral ports	testconnectivity.microsoft.com testexchangeconnectivity.com	None	See table below.	TCP 80 & 443
Required: Captcha & support services	Logged on user	Web browse	Ephemeral ports	client.hip.live.com wu.client.hip.live.com support.microsoft.com	None	IP addresses not provided	TCP 80 & 443
Required: Execution of the tests selected by the customer.	Provided by customer on the testconnectivity website	testconnectivity.microsoft.com	Ephemeral ports	On-premises systems for email and collaboration.	None	Customer IP ranges	80, 443, 25, POP3 on (110, 995, or Custom), IMAP4 on (143, 993, or Custom)
Required: Certificate revocation lists	logged on user	Client Computer	TCP 80 & 443	See well known certificate root CRLs in the table below.	None	IP addresses not provided	TCP 80 & 443

Remote Analyzer IP Ranges

Yammer

This list of URLs and IPv4 IP subnet is the current list required for Yammer.

Purpose	Credentials Used	Source	Source Port	Destination	CDN Provider(s)	Destination IP	Destination Port
Required: Authentication	See Office 365 portal and identity
Required: Portal	See Office 365 portal and identity
Required: Yammer	Logged on user	Client Computer	Ephemeral ports	.assets-yammer.com .yammer.com *.yammerusercontent.com	None	See table below.	TCP 80 & 443
Required: Certificate revocation lists	logged on user	Client Computer	Ephemeral ports	See well known certificate root CRLs in the table below.	None	IP addresses not provided	TCP 80 & 443
Optional: Document, video, & image storage/rendering	Logged on user	Client Computer	Ephemeral ports	ajax.googleapis.com *.cloudfront.net	None	IP addresses not provided	TCP 443

Yammer IP Ranges

Office 365 ProPlus

Here is the current list of endpoints PCs and Macs need to be able to access to use Office 365 ProPlus. If you’re interested in bypassing the CDN for your deployment, you can build an internal installation point.

Purpose	Credentials Used	Source	Source Port	Destination	CDN Provider(s)	Destination IP	Destination Port
Required: This url is needed to renew the product key approximately every 30 days	Local system	Office client only	Ephemeral ports	activation.sls.microsoft.com	None	See table below.	TCP 443
Required: This URL is required to validate certificates during activation	Local system	Office client only	Ephemeral ports	crl.microsoft.com	None	IP addresses not provided.	TCP 80 & 443
Required: Required for identity and configuration services	Local system	Office client only	Ephemeral ports	odc.officeapps.live.com clientconfig.microsoftonline-p.net	Microsoft & Akamai	See table below. CDN IP addresses not provided.	TCP 443
Required: This URL is the Office Licensing Service, which is used during activation and subscription maintenance	Local system	Office client only	Ephemeral ports	ols.officeapps.live.com	Microsoft & Akamai	See table below. CDN IP addresses not provided.	TCP 443
Required: Required for redirection services during initial Office activation and Office license heartbeat.	Local system	Office client only	TCP 80 & 443	office15client.microsoft.com	Microsoft & Akamai	See table below. CDN IP addresses not provided.	TCP 443
Required: Required to authenticate the users identity (Org Id) during initial Office entitlement check. After initial activation, not used unless re-entitlement check is required.	Logged on user	Office client only	Ephemeral ports	login.windows.net login.microsoftonline.com	See Office 365 portal and identity
Required: Contains Office 365 ProPlus source media used for installation and/or updates. If automatic updates are configured in the default settings, the local system account is used when downloading updates.	Logged on user	Office client only	Ephemeral ports	officecdn.microsoft.com	Microsoft & Akamai	IP addresses not provided	TCP 80
Required: This URL is used to redirect to web content such as online help and error code information.	Logged on user	Office client only	Ephemeral ports	go.microsoft.com	Microsoft & Akamai	IP addresses not provided	TCP 80

Office 365 ProPlus IP Ranges

Office Online

This list of IP addresses is the current list required for Office Web Apps. MTE102837806 does not have additional URLs beyond those included in the portal and identity section.

Purpose	Credentials Used	Source	Source Port	Destination	CDN Provider(s)	Destination IP	Destination Port
Required: Authentication	See Office 365 portal and identity
Required: Portal	See Office 365 portal and identity
Required: Office Online	Logged on user	Client Computer	Ephemeral ports	*.officeapps.live.com	None	See table below.	TCP 443
Required: Content Delivery Network for Office Web Apps	Logged on user	Client Computer	Ephemeral ports	*.cdn.office.net	Akamai	IP addresses not provided	TCP 443
Required: Certificate revocation lists	logged on user	Client Computer	Ephemeral ports	See well known certificate root CRLs in the table below.	None	IP addresses not provided	TCP 80 & 443

Office Online IP Ranges

Sway

This list of URLs and IPv4 IP subnet is the current list required for Sway.

Purpose	Credentials Used	Source	Source Port	Add to IE Trusted Site?	Destination	CDN Provider(s)	Destination IP	Destination Port
Required: Authentication	See Office 365 portal and identity
Required: Portal	See Office 365 portal and identity
Required: Sway	Logged on user	Client Computer	Ephemeral ports	No	sway.com www.sway.com eus-www.sway.com eus-000.www.sway.com eus-001.www.sway.com eus-002.www.sway.com eus-003.www.sway.com eus-004.www.sway.com eus-005.www.sway.com eus-006.www.sway.com eus-007.www.sway.com eus-008.www.sway.com eus-009.www.sway.com eus-00a.www.sway.com eus-00b.www.sway.com eus-00c.www.sway.com eus-00d.www.sway.com eus-00e.www.sway.com wus-www.sway.com wus-000.www.sway.com wus-001.www.sway.com wus-002.www.sway.com wus-003.www.sway.com wus-004.www.sway.com wus-005.www.sway.com wus-006.www.sway.com wus-007.www.sway.com wus-008.www.sway.com wus-009.www.sway.com wus-00a.www.sway.com wus-00b.www.sway.com wus-00c.www.sway.com wus-00d.www.sway.com wus-00e.www.sway.com	None	See table below	TCP 443
Required: Sway	logged on user	Client Computer	Ephemeral ports	No	eus-www.sway-cdn.com wus-www.sway-cdn.com eus-www.sway-extensions.com wus-www.sway-extensions.com	Akamai	IP addresses not provided	TCP 443
Optional: Sway website analytics	Logged on user	Client Computer	Ephemeral ports	No	c.microsoft.com c1.microsoft.com prod.msocdn.com www.google-analytics.com	None	IP addresses not provided	TCP 443
Optional: Sway third party content	Logged on user	Client Computer	Ephemeral ports	No	Access to third party content such as Bing, Flickr, and so on.	None	IP addresses not provided	TCP 443

Sway IP Ranges

Planner

This list of URLs and IPv4 IP subnet is the current list required for Planner.

Purpose	Source / Credentials	Source Port	Destination	CDN Provider(s)	Destination IP	Destination Port
Required: Authentication	See Office 365 portal and identity
Required: Portal	See Office 365 portal and identity
Required: Planner	Browser/ authenticated user	Ephemeral ports	tasks.office.com controls.office.com cus-000.tasks.osi.office.net ea-000.tasks.osi.office.net eus-zzz.tasks.osi.office.net neu-000.tasks.osi.office.net sea-000.tasks.osi.office.net weu-000.tasks.osi.office.net wus-000.tasks.osi.office.net www.outlook.com outlook.office365.com clientlog.portal.office.com	None	See table below.	TCP 443
Required: Planner CDNs	Browser/ authenticated user	Ephemeral ports	ajax.aspnetcdn.com prod.msocdn.com	Akamai	IP addresses not provided	TCP 443
Required: Certificate revocation lists	Browser/ authenticated user	Ephemeral ports	See well known certificate root CRLs in the table below.	None	IP addresses not provided	TCP 80 & 443

Planner IP Ranges

Office for iPad

This is the current list of Office for iPad URLs. If you’re using allow lists to filter iPad connectivity differently than other computers on your network, you can use just this list of URLs to create those allow lists.

Office for iPad URLs
directory.services.live.com odc.officeapps.live.com docs.live.net roaming.officeapps.live.com nexus.officeapps.live.com sqm.microsoft.com watson.telemetry.microsoft.com login.live.com wer.microsoft.com microsoft-my.sharepoint.com login.microsoftonline.com ms.tific.com msft.sts.microsoft.com p100-sandbox.itunes.apple.com signup.live.com auth.gfx.ms view.atdmt.com client.hip.live.com dc2.client.hip.live.com c.live.com go.microsoft.com office.microsoft.com officeimg.vo.msecnd.net m.webtrends.com account.live.com c.bing.com partnerservices.getmicrosoftkey.com client.hip.live.com clientconfig.microsoftonline-p.net cl2.apple.com sas.office.microsoft.com foodanddrink.services.appex.bing.com en-US.appex-rf.msn.com weather.tile.appex.bing.com

Office for iPad URLs

directory.services.live.com
odc.officeapps.live.com
docs.live.net
roaming.officeapps.live.com
nexus.officeapps.live.com
sqm.microsoft.com
watson.telemetry.microsoft.com
login.live.com
wer.microsoft.com         
microsoft-my.sharepoint.com
login.microsoftonline.com
ms.tific.com
msft.sts.microsoft.com
p100-sandbox.itunes.apple.com
signup.live.com
auth.gfx.ms
view.atdmt.com
client.hip.live.com
dc2.client.hip.live.com
c.live.com
go.microsoft.com
office.microsoft.com
officeimg.vo.msecnd.net
m.webtrends.com
account.live.com
c.bing.com
partnerservices.getmicrosoftkey.com
client.hip.live.com
clientconfig.microsoftonline-p.net
cl2.apple.com
sas.office.microsoft.com
foodanddrink.services.appex.bing.com
en-US.appex-rf.msn.com
weather.tile.appex.bing.com

Office Mobile

This is the current list of Office Mobile URLs. Office Mobile runs on Android devices, Windows Phones, and iPhones. If you’re filtering your mobile connectivity differently than other computers on your network, you can use just this list of URLs to create those allow lists.

Office Mobile URLs
office15client.microsoft.com odc.officeapps.live.com go.microsoft.com login.microsoftonline.com msft.sts.microsoft.com odcsm.officeapps.live.com microsoft-my.sharepoint.com ms.tific.com roaming.officeapps.live.com o15.officeredir.microsoft.com office.microsoft.com officeimg.vo.msecnd.net m.webtrends.com d.docs.live.net login.live.com auth.gfx.ms wer.microsoft.com .appex.bing.com .appex-rf.msn.com appexsin.stb.s-msn.com

Office Mobile URLs

office15client.microsoft.com
odc.officeapps.live.com
go.microsoft.com
login.microsoftonline.com
msft.sts.microsoft.com
odcsm.officeapps.live.com
microsoft-my.sharepoint.com
ms.tific.com
roaming.officeapps.live.com
o15.officeredir.microsoft.com
office.microsoft.com
officeimg.vo.msecnd.net
m.webtrends.com
d.docs.live.net
login.live.com
auth.gfx.ms
wer.microsoft.com
*.appex.bing.com
*.appex-rf.msn.com
appexsin.stb.s-msn.com

DNS-AS and Microsoft Office 365

Office 365

Office 365 URLs and IP address ranges