This is an old revision of the document!
Table of Contents
Blocklists - Microsoft - Microsoft Office 365
Get Current List of IP Addresses
Download the endpoints file
curl https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7 > office.txt
NOTE: The UUID b10c5ed1-bad1-445f-b386-b919946339a7 is the default one provided by Microsoft.
This UUID may be discontinued in the future, so it is recommended to use an alternative UUID in this case.
The returned result includes both IPv4 and IPv6 addresses.
To exclude IPv6, use this:
curl "https://endpoints.office.com/endpoints/worldwide?noipv6&ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7" > office_ipv4.txt
Check list of Services
jq -r '.[].serviceArea' aa.txt | sort | uniq > office.txt
returns:
Common Exchange SharePoint Skype
Get IPs for the Specific Service
Assuming IPs for the Exchange is needed.
jq -r '.[] | select(.serviceArea=="Exchange") | select(.ips) .ips[]' aa.txt | sort -t . -k1,1n -k2,2n -k3,3n -k4,4n | uniq > aa6.txt
NOTE: Other queries that can be used include:
jq -r '.[] | select(.serviceArea=="Exchange") | select(.ips) .ips[]' aa.txt > office.txt jq -r '.[] | select(.serviceArea=="Exchange") | select(.ips) .ips[]' aa.txt | sort | uniq > office.txt
Ports
For chat:
- http (80)
- https (443)
- udp/3478-3481
Domain list
office.com office365.com office.net onedrive.com sharepoint.com optimizely.com microsoftonline.com production.us.trafficmanager.net microsoft.com live.com oneclient.sfx.ms sharepointonline.com spoprod-a.akamaihd.net prod.msocdn.com svc.ms lync.com broadcast.skype.com skypeforbusiness.com sfbassets.com skypemaprdsitus.trafficmanager.net windows.net msecnd.net aspnetcdn.com live.net aka.ms azure.net windows.com windows.net msedge.net mstea.ms skypeassets.com azureedge.net tenor.com microsoftstream.com assets-yammer.com azureedge.net onenote.com onenote.net aspnetcdn.com optimizely.com msappproxy.net msftidentity.com msidentity.com windowsazure.com microsoftazuread-sso.com microsoftonline-p.net msauth.net msauthimages.net msftauth.net msftauthimages.net phonefactor.net visualstudio.com cloudapp.net staffhub.ms gfx.ms appex.bing.com appex-rf.msn.com getmicrosoftkey.com atdmt.com yammer.com yammerusercontent.com sway-cdn.com sway-extensions.com sway.com
NOTE: Top level domains use used instead of multiple subdomains.
For example, excel.officeapps.microsoft.com, word.officeapps.microsoft.com are abbreviated to just officapps.microsoft.com.
Amend if needed.
IP Ranges
Includes local subnets if not present already.
104.146.128.0/17 104.42.230.91 104.44.218.128/25 104.44.254.128/25 104.44.255.0/25 104.47.0.0/17 13.91.91.243 13.106.4.128/25 13.106.56.0/25 13.107.128.0/22 13.107.136.0/22 13.107.140.6 13.107.18.10/31 13.107.6.152/31 13.107.6.156/31 13.107.6.171 13.107.7.190/31 13.107.9.155/31 13.80.125.22 131.253.33.215 132.245.0.0/16 134.170.172.128/25 134.170.67.0/25 150.171.32.0/22 150.171.40.0/22 157.55.130.0/25 157.55.145.0/25 157.55.155.0/25 157.55.227.192/26 157.55.45.128/25 191.232.2.128/25 191.234.140.0/22 20.190.128.0/18 204.79.197.215 23.103.160.0/20 40.96.0.0/13 40.104.0.0/15 40.107.0.0/16 40.108.128.0/17 40.126.0.0/18 40.81.156.154 40.92.0.0/15 40.90.218.198 52.108.0.0/14 52.100.0.0/14 52.104.0.0/14 52.174.56.180 52.183.75.62 52.184.165.82 52.238.106.116 52.238.78.88 52.247.150.191 52.96.0.0/14 65.54.170.128/25
For the Teams app, these additional IP ranges are needed:
13.107.64.0/18 52.112.0.0/14 52.120.0.0/14