Note
Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise. For more information about this change, read this blog post.
- Access a former user's OneDrive documents. If you remove a user's license but don't delete the account, you can give yourself access to the content in the user's OneDrive. If you delete the user's account, you have 30 days by default to access the former user's OneDrive data. Learn how to set the OneDrive retention for deleted users.
- Use Microsoft OneDrive as a cloud backup, and share files, photos, and entire folders with others. Your cloud storage in OneDrive is private until you decide to share with others. You can also see who a OneDrive file is shared with or stop sharing at any time.
- Login to OneDrive with your Microsoft or Office 365 account.
Summary
When you install Microsoft Office 2016, the OneDrive sync client (OneDrive.exe) is included in the installation package. This article describes how to use Group Policy settings and registry modification to block access to OneDrive from within the Office applications.
More Information
To block OneDrive access for Office 2016 users in your organization, follow these steps:
Download the Office 2016 Administrative Template files (ADMX/ADML) and Office Customization Tool.
Use the Office 2016 Administrative Templates to configure Group Policy settings under User configuration > Administrative Templates > Microsoft Office 2016 > Miscellaneous as follows:
Set the Show OneDrive Sign In setting to Disabled:
Enable the Block signing into Office setting, and set it to Org ID only:
To prevent users from adding their personal OneDrive account, use one of the following methods:
Use a Group Policy object
Collaborate for free with online versions of Microsoft Word, PowerPoint, Excel, and OneNote. Save documents, spreadsheets, and presentations online, in OneDrive. The Microsoft Office 365 for Education suite includes OneDrive for Business, SharePoint, Yammer, and Skype for Business, as well as widely used Microsoft applications such as Word, Excel, PowerPoint and the downloadable Office ProPlus suite. It also includes 1 TB of storage per user.
Use the Office 2016 Administrative Templates to configure Group Policy settings.
Under User configuration > Administrative Templates > Microsoft Office 2016 > Miscellaneous, configure Hide file locations when opening or saving files as Hide OneDrive Personal.
Note
This policy setting only applies to Word, PowerPoint, and Excel.
Modify the registry
Open registry editor and browse to the following registry key:
Modify the DWORD value 'OnlineStorage'.
Available values are:
0 Policy is off (all locations are shown)
1 Only OneDrive Personal locations are hidden
2 All SharePoint Online locations are hidden
3 All Microsoft Online Locations are hidden
If you set other values, the policy is off (all locations are shown).
If the value is set to 1, uses can no longer see their personal OneDrive location under Add a place.
To block the use of OneDrive from within Windows, see How to block OneDrive.exe from being advertised after you install Office 2016.
To configure the update settings for Microsoft 365 Apps for enterprise, see the following TechNet resource:
-->Office 365 requires connectivity to the Internet. The endpoints below should be reachable for customers using Office 365 plans, including Government Community Cloud (GCC).
Office 365 Worldwide (+GCC) | Office 365 operated by 21 Vianet | Office 365 Germany | Office 365 U.S. Government DoD | Office 365 U.S. Government GCC High |
Last updated: 03/01/2021 - Change Log subscription | Download: all required and optional destinations in one JSON formatted list. | Use: our proxy PAC files |
Start with Managing Office 365 endpoints to understand our recommendations for managing network connectivity using this data. Endpoints data is updated as needed at the beginning of each month with new IP Addresses and URLs published 30 days in advance of being active. This allows for customers who do not yet have automated updates to complete their processes before new connectivity is required. Endpoints may also be updated during the month if needed to address support escalations, security incidents, or other immediate operational requirements. The data shown on this page below is all generated from the REST-based web services. If you are using a script or a network device to access this data, you should go to the Web service directly.
Endpoint data below lists requirements for connectivity from a user's machine to Office 365. It does not include network connections from Microsoft into a customer network, sometimes called hybrid or inbound network connections. See Additional endpoints for more information.
The endpoints are grouped into four service areas. The first three service areas can be independently selected for connectivity. The fourth service area is a common dependency (called Microsoft 365 Common and Office) and must always have network connectivity.
Data columns shown are:
ID: The ID number of the row, also known as an endpoint set. This ID is the same as is returned by the web service for the endpoint set.
Category: Shows whether the endpoint set is categorized as 'Optimize', 'Allow', or 'Default'. You can read about these categories and guidance for management of them at New Office 365 endpoint categories. This column also lists which endpoint sets are required to have network connectivity. For endpoint sets which are not required to have network connectivity, we provide notes in this field to indicate what functionality would be missing if the endpoint set is blocked. If you are excluding an entire service area, the endpoint sets listed as required do not require connectivity.
ER: This is Yes if the endpoint set is supported over Azure ExpressRoute with Office 365 route prefixes. The BGP community that includes the route prefixes shown aligns with the service area listed. When ER is No, this means that ExpressRoute is not supported for this endpoint set. However, it should not be assumed that no routes are advertised for an endpoint set where ER is No.
Addresses: Lists the FQDNs or wildcard domain names and IP Address ranges for the endpoint set. Note that an IP Address range is in CIDR format and may include many individual IP Addresses in the specified network.
Ports: Lists the TCP or UDP ports that are combined with the Addresses to form the network endpoint. You may notice some duplication in IP Address ranges where there are different ports listed.
Exchange Online
ID | Category | ER | Addresses | Ports |
---|---|---|---|---|
1 | Optimize Required | Yes | outlook.office.com, outlook.office365.com 13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2603:1096::/38, 2603:1096:400::/40, 2603:1096:600::/40, 2603:1096:a00::/39, 2603:1096:c00::/40, 2603:10a6:200::/40, 2603:10a6:400::/40, 2603:10a6:600::/40, 2603:10a6:800::/40, 2603:10d6:200::/40, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128, 2a01:111:f400::/48 | TCP: 443, 80 |
2 | Allow Required | Yes | smtp.office365.com 13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2603:1096::/38, 2603:1096:400::/40, 2603:1096:600::/40, 2603:1096:a00::/39, 2603:1096:c00::/40, 2603:10a6:200::/40, 2603:10a6:400::/40, 2603:10a6:600::/40, 2603:10a6:800::/40, 2603:10d6:200::/40, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128, 2a01:111:f400::/48 | TCP: 587 |
3 | Default Required | No | r1.res.office365.com, r3.res.office365.com, r4.res.office365.com | TCP: 443, 80 |
5 | Allow Optional Notes: Exchange Online IMAP4 migration | Yes | *.outlook.office.com, outlook.office365.com 13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2603:1096::/38, 2603:1096:400::/40, 2603:1096:600::/40, 2603:1096:a00::/39, 2603:1096:c00::/40, 2603:10a6:200::/40, 2603:10a6:400::/40, 2603:10a6:600::/40, 2603:10a6:800::/40, 2603:10d6:200::/40, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128, 2a01:111:f400::/48 | TCP: 143, 993 |
6 | Allow Optional Notes: Exchange Online POP3 migration | Yes | *.outlook.office.com, outlook.office365.com 13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2603:1096::/38, 2603:1096:400::/40, 2603:1096:600::/40, 2603:1096:a00::/39, 2603:1096:c00::/40, 2603:10a6:200::/40, 2603:10a6:400::/40, 2603:10a6:600::/40, 2603:10a6:800::/40, 2603:10d6:200::/40, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128, 2a01:111:f400::/48 | TCP: 995 |
8 | Default Required | No | *.outlook.com, *.outlook.office.com, attachments.office.net | TCP: 443, 80 |
9 | Allow Required | Yes | *.protection.outlook.com 40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 52.238.78.88/32, 104.47.0.0/17, 2a01:111:f403::/48 | TCP: 443 |
10 | Allow Required | Yes | *.mail.protection.outlook.com 40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48 | TCP: 25 |
154 | Default Required | No | autodiscover.<tenant>.onmicrosoft.com | TCP: 443, 80 |
SharePoint Online and OneDrive for Business
Office365 Onedrive Download
ID | Category | ER | Addresses | Ports |
---|---|---|---|---|
31 | Optimize Required | Yes | <tenant>.sharepoint.com, <tenant>-my.sharepoint.com 13.107.136.0/22, 40.108.128.0/17, 52.104.0.0/14, 104.146.128.0/17, 150.171.40.0/22, 2620:1ec:8f8::/46, 2620:1ec:908::/46, 2a01:111:f402::/48 | TCP: 443, 80 |
32 | Default Optional Notes: OneDrive for Business: supportability, telemetry, APIs, and embedded email links | No | *.log.optimizely.com, ssw.live.com, storage.live.com | TCP: 443 |
33 | Default Optional Notes: SharePoint Hybrid Search - Endpoint to SearchContentService where the hybrid crawler feeds documents | No | *.search.production.apac.trafficmanager.net, *.search.production.emea.trafficmanager.net, *.search.production.us.trafficmanager.net | TCP: 443 |
35 | Default Required | No | *.wns.windows.com, admin.onedrive.com, officeclient.microsoft.com | TCP: 443, 80 |
36 | Default Required | No | g.live.com, oneclient.sfx.ms | TCP: 443, 80 |
37 | Default Required | No | *.sharepointonline.com, cdn.sharepointonline.com, privatecdn.sharepointonline.com, publiccdn.sharepointonline.com, spoprod-a.akamaihd.net, static.sharepointonline.com | TCP: 443, 80 |
38 | Default Optional Notes: SharePoint Online: auxiliary URLs | No | prod.msocdn.com, watson.telemetry.microsoft.com | TCP: 443, 80 |
39 | Default Required | No | *.svc.ms, <tenant>-files.sharepoint.com, <tenant>-myfiles.sharepoint.com | TCP: 443, 80 |
Skype for Business Online and Microsoft Teams
ID | Category | ER | Addresses | Ports |
---|---|---|---|---|
11 | Optimize Required | Yes | 13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14 | UDP: 3478, 3479, 3480, 3481 |
12 | Allow Required | Yes | *.lync.com, *.teams.microsoft.com, teams.microsoft.com 13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2620:1ec:6::/48, 2620:1ec:40::/42 | TCP: 443, 80 |
13 | Allow Required | Yes | *.broadcast.skype.com, broadcast.skype.com 13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2620:1ec:6::/48, 2620:1ec:40::/42 | TCP: 443 |
15 | Default Required | No | *.sfbassets.com, *.urlp.sfbassets.com, skypemaprdsitus.trafficmanager.net | TCP: 443, 80 |
16 | Default Required | No | *.keydelivery.mediaservices.windows.net, *.msecnd.net, *.streaming.mediaservices.windows.net, ajax.aspnetcdn.com, mlccdn.blob.core.windows.net | TCP: 443 |
17 | Default Required | No | aka.ms, amp.azure.net | TCP: 443 |
18 | Default Optional Notes: Federation with Skype and public IM connectivity: Contact picture retrieval | No | *.users.storage.live.com | TCP: 443 |
19 | Default Optional Notes: Applies only to those who deploy the Conference Room Systems | No | *.adl.windows.com | TCP: 443, 80 |
22 | Allow Optional Notes: Teams: Messaging interop with Skype for Business | Yes | *.skypeforbusiness.com 13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2620:1ec:6::/48, 2620:1ec:40::/42 | TCP: 443 |
26 | Default Required | No | *.msedge.net, compass-ssl.microsoft.com | TCP: 443 |
27 | Default Required | No | *.mstea.ms, *.secure.skypeassets.com, mlccdnprod.azureedge.net, videoplayercdn.osi.office.net | TCP: 443 |
29 | Default Optional Notes: Yammer third-party integration | No | *.tenor.com | TCP: 443, 80 |
127 | Default Required | No | *.skype.com | TCP: 443, 80 |
Office 365 Onedrive Storage
Microsoft 365 Common and Office Online
ID | Category | ER | Addresses | Ports |
---|---|---|---|---|
40 | Default Optional Notes: Office 365 Video CDNs | No | ajax.aspnetcdn.com, r3.res.outlook.com, spoprod-a.akamaihd.net | TCP: 443 |
41 | Default Optional Notes: Microsoft Stream | No | *.microsoftstream.com, amp.azure.net, s0.assets-yammer.com, vortex.data.microsoft.com | TCP: 443 |
42 | Default Optional Notes: Microsoft Stream CDN | No | amsglob0cdnstream13.azureedge.net, amsglob0cdnstream14.azureedge.net | TCP: 443 |
43 | Default Optional Notes: Microsoft Stream 3rd party integration (including CDNs) | No | nps.onyx.azure.net | TCP: 443 |
44 | Default Optional Notes: Microsoft Stream - unauthenticated | No | *.azureedge.net, *.media.azure.net, *.streaming.mediaservices.windows.net | TCP: 443 |
45 | Default Optional Notes: Office 365 Video | No | *.keydelivery.mediaservices.windows.net, *.streaming.mediaservices.windows.net | TCP: 443 |
46 | Allow Required | Yes | *.officeapps.live.com, *.online.office.com, office.live.com 13.107.6.171/32, 13.107.140.6/32, 52.108.0.0/14, 52.238.106.116/32, 52.244.37.168/32, 52.244.203.72/32, 52.244.207.172/32, 52.244.223.198/32, 52.247.150.191/32, 2603:1010:2::cb/128, 2603:1010:200::c7/128, 2603:1020:200::682f:a0fd/128, 2603:1020:201:9::c6/128, 2603:1020:600::a1/128, 2603:1020:700::a2/128, 2603:1020:800:2::6/128, 2603:1020:900::8/128, 2603:1030:7::749/128, 2603:1030:800:5::bfee:ad3c/128, 2603:1030:f00::17/128, 2603:1030:1000::21a/128, 2603:1040:200::4f3/128, 2603:1040:401::762/128, 2603:1040:601::60f/128, 2603:1040:a01::1e/128, 2603:1040:c01::28/128, 2603:1040:e00:1::2f/128, 2603:1040:f00::1f/128, 2603:1050:1::cd/128, 2620:1ec:8fc::6/128, 2620:1ec:a92::171/128, 2a01:111:f100:2000::a83e:3019/128, 2a01:111:f100:2002::8975:2d79/128, 2a01:111:f100:2002::8975:2da8/128, 2a01:111:f100:7000::6fdd:6cd5/128, 2a01:111:f100:a004::bfeb:88cf/128 | TCP: 443, 80 |
47 | Default Required | No | *.cdn.office.net, contentstorage.osi.office.net | TCP: 443 |
49 | Default Required | No | *.onenote.com | TCP: 443 |
50 | Default Optional Notes: OneNote notebooks (wildcards) | No | *.microsoft.com, *.msecnd.net, *.office.net | TCP: 443 |
51 | Default Required | No | *cdn.onenote.net | TCP: 443 |
52 | Default Optional Notes: OneNote 3rd party supporting services and CDNs | No | ad.atdmt.com, s.ytimg.com, www.youtube.com | TCP: 443 |
53 | Default Required | No | ajax.aspnetcdn.com, apis.live.net, cdn.optimizely.com, officeapps.live.com, www.onedrive.com | TCP: 443 |
56 | Allow Required | Yes | *.msftidentity.com, *.msidentity.com, account.activedirectory.windowsazure.com, accounts.accesscontrol.windows.net, adminwebservice.microsoftonline.com, api.passwordreset.microsoftonline.com, autologon.microsoftazuread-sso.com, becws.microsoftonline.com, clientconfig.microsoftonline-p.net, companymanager.microsoftonline.com, device.login.microsoftonline.com, graph.microsoft.com, graph.windows.net, login.microsoft.com, login.microsoftonline.com, login.microsoftonline-p.com, login.windows.net, logincert.microsoftonline.com, loginex.microsoftonline.com, login-us.microsoftonline.com, nexus.microsoftonline-p.com, passwordreset.microsoftonline.com, provisioningapi.microsoftonline.com 20.190.128.0/18, 40.126.0.0/18, 2603:1006:2000::/48, 2603:1007:200::/48, 2603:1016:1400::/48, 2603:1017::/48, 2603:1026:3000::/48, 2603:1027:1::/48, 2603:1036:3000::/48, 2603:1037:1::/48, 2603:1046:2000::/48, 2603:1047:1::/48, 2603:1056:2000::/48, 2603:1057:2::/48 | TCP: 443, 80 |
59 | Default Required | No | *.hip.live.com, *.microsoftonline.com, *.microsoftonline-p.com, *.msauth.net, *.msauthimages.net, *.msecnd.net, *.msftauth.net, *.msftauthimages.net, *.phonefactor.net, enterpriseregistration.windows.net, management.azure.com, policykeyservice.dc.ad.msft.net | TCP: 443, 80 |
64 | Allow Required | Yes | *.compliance.microsoft.com, *.manage.office.com, *.protection.office.com, *.security.microsoft.com, compliance.microsoft.com, manage.office.com, protection.office.com, security.microsoft.com 13.80.125.22/32, 13.91.91.243/32, 13.107.6.156/31, 13.107.7.190/31, 13.107.9.156/31, 40.81.156.154/32, 40.90.218.198/32, 52.108.0.0/14, 52.174.56.180/32, 52.183.75.62/32, 52.184.165.82/32, 104.42.230.91/32, 157.55.145.0/25, 157.55.155.0/25, 157.55.227.192/26, 2603:1006:1400::/40, 2603:1010:2:2::a/128, 2603:1016:2400::/40, 2603:1020:400::26/128, 2603:1020:600::12f/128, 2603:1020:600::1f0/128, 2603:1020:800:2::45/128, 2603:1026:2400::/40, 2603:1030:7:5::25/128, 2603:1036:2400::/40, 2603:1040:400::5e/128, 2603:1040:601::2/128, 2603:1046:1400::/40, 2603:1056:1400::/40, 2a01:111:200a:a::/64, 2a01:111:2035:8::/64, 2a01:111:f100:1002::4134:c440/128, 2a01:111:f100:2000::a83e:33a8/128, 2a01:111:f100:2002::8975:2d98/128, 2a01:111:f100:3000::a83e:1884/128, 2a01:111:f100:3002::8987:3552/128, 2a01:111:f100:4002::9d37:c021/128, 2a01:111:f100:4002::9d37:c3de/128, 2a01:111:f100:6000::4134:a6c7/128, 2a01:111:f100:6000::4134:b84b/128, 2a01:111:f100:7000::6fdd:5245/128, 2a01:111:f100:7000::6fdd:6fc4/128, 2a01:111:f100:8000::4134:941b/128, 2a01:111:f100:9001::1761:914f/128, 2a01:111:f406:1::/64, 2a01:111:f406:c00::/64, 2a01:111:f406:1004::/64, 2a01:111:f406:1805::/64, 2a01:111:f406:3404::/64, 2a01:111:f406:8000::/64, 2a01:111:f406:8801::/64, 2a01:111:f406:a003::/64 | TCP: 443 |
65 | Allow Required | Yes | *.portal.cloudappsecurity.com, account.office.net, admin.microsoft.com, home.office.com, portal.office.com, www.office.com 13.80.125.22/32, 13.91.91.243/32, 13.107.6.156/31, 13.107.7.190/31, 13.107.9.156/31, 40.81.156.154/32, 40.90.218.198/32, 52.108.0.0/14, 52.174.56.180/32, 52.183.75.62/32, 52.184.165.82/32, 104.42.230.91/32, 157.55.145.0/25, 157.55.155.0/25, 157.55.227.192/26, 2603:1006:1400::/40, 2603:1010:2:2::a/128, 2603:1016:2400::/40, 2603:1020:400::26/128, 2603:1020:600::12f/128, 2603:1020:600::1f0/128, 2603:1020:800:2::45/128, 2603:1026:2400::/40, 2603:1030:7:5::25/128, 2603:1036:2400::/40, 2603:1040:400::5e/128, 2603:1040:601::2/128, 2603:1046:1400::/40, 2603:1056:1400::/40, 2a01:111:200a:a::/64, 2a01:111:2035:8::/64, 2a01:111:f100:1002::4134:c440/128, 2a01:111:f100:2000::a83e:33a8/128, 2a01:111:f100:2002::8975:2d98/128, 2a01:111:f100:3000::a83e:1884/128, 2a01:111:f100:3002::8987:3552/128, 2a01:111:f100:4002::9d37:c021/128, 2a01:111:f100:4002::9d37:c3de/128, 2a01:111:f100:6000::4134:a6c7/128, 2a01:111:f100:6000::4134:b84b/128, 2a01:111:f100:7000::6fdd:5245/128, 2a01:111:f100:7000::6fdd:6fc4/128, 2a01:111:f100:8000::4134:941b/128, 2a01:111:f100:9001::1761:914f/128, 2a01:111:f406:1::/64, 2a01:111:f406:c00::/64, 2a01:111:f406:1004::/64, 2a01:111:f406:1805::/64, 2a01:111:f406:3404::/64, 2a01:111:f406:8000::/64, 2a01:111:f406:8801::/64, 2a01:111:f406:a003::/64 | TCP: 443, 80 |
66 | Default Required | No | suite.office.net | TCP: 443 |
67 | Default Optional Notes: Security and Compliance Center eDiscovery export | No | *.blob.core.windows.net | TCP: 443 |
68 | Default Optional Notes: Portal and shared: 3rd party office integration. (including CDNs) | No | *.helpshift.com, *.localytics.com, analytics.localytics.com, api.localytics.com, connect.facebook.net, firstpartyapps.oaspapps.com, outlook.uservoice.com, prod.firstpartyapps.oaspapps.com.akadns.net, rink.hockeyapp.net, sdk.hockeyapp.net, telemetryservice.firstpartyapps.oaspapps.com, web.localytics.com, webanalytics.localytics.com, wus-firstpartyapps.oaspapps.com | TCP: 443 |
69 | Default Required | No | *.aria.microsoft.com, *.events.data.microsoft.com | TCP: 443 |
70 | Default Required | No | *.o365weve.com, amp.azure.net, appsforoffice.microsoft.com, assets.onestore.ms, auth.gfx.ms, c1.microsoft.com, contentstorage.osi.office.net, dgps.support.microsoft.com, docs.microsoft.com, msdn.microsoft.com, platform.linkedin.com, prod.msocdn.com, shellprod.msocdn.com, support.content.office.net, support.microsoft.com, technet.microsoft.com, videocontent.osi.office.net, videoplayercdn.osi.office.net | TCP: 443 |
71 | Default Required | No | *.office365.com | TCP: 443 |
72 | Default Optional Notes: Azure Rights Management (RMS) with Office 2010 clients | No | *.cloudapp.net | TCP: 443 |
73 | Default Required | No | *.aadrm.com, *.azurerms.com, *.informationprotection.azure.com, ecn.dev.virtualearth.net, informationprotection.hosting.portal.azure.net | TCP: 443 |
74 | Default Optional Notes: Remote Connectivity Analyzer - Initiate connectivity tests. | No | testconnectivity.microsoft.com | TCP: 443, 80 |
75 | Default Optional Notes: Graph.windows.net, Office 365 Management Pack for Operations Manager, SecureScore, Azure AD Device Registration, Forms, StaffHub, Application Insights, captcha services | No | *.hockeyapp.net, *.sharepointonline.com, cdn.forms.office.net, dc.applicationinsights.microsoft.com, dc.services.visualstudio.com, forms.microsoft.com, mem.gfx.ms, office365servicehealthcommunications.cloudapp.net, osiprod-cus-daffodil-signalr-00.service.signalr.net, osiprod-neu-daffodil-signalr-00.service.signalr.net, osiprod-weu-daffodil-signalr-00.service.signalr.net, osiprod-wus-daffodil-signalr-00.service.signalr.net, signup.microsoft.com, staffhub.ms, staffhub.uservoice.com, staffhubweb.azureedge.net, watson.telemetry.microsoft.com | TCP: 443 |
77 | Allow Required | Yes | portal.microsoftonline.com 13.107.6.171/32, 13.107.140.6/32, 52.108.0.0/14, 52.238.106.116/32, 52.244.37.168/32, 52.244.203.72/32, 52.244.207.172/32, 52.244.223.198/32, 52.247.150.191/32, 2603:1010:2::cb/128, 2603:1010:200::c7/128, 2603:1020:200::682f:a0fd/128, 2603:1020:201:9::c6/128, 2603:1020:600::a1/128, 2603:1020:700::a2/128, 2603:1020:800:2::6/128, 2603:1020:900::8/128, 2603:1030:7::749/128, 2603:1030:800:5::bfee:ad3c/128, 2603:1030:f00::17/128, 2603:1030:1000::21a/128, 2603:1040:200::4f3/128, 2603:1040:401::762/128, 2603:1040:601::60f/128, 2603:1040:a01::1e/128, 2603:1040:c01::28/128, 2603:1040:e00:1::2f/128, 2603:1040:f00::1f/128, 2603:1050:1::cd/128, 2620:1ec:8fc::6/128, 2620:1ec:a92::171/128, 2a01:111:f100:2000::a83e:3019/128, 2a01:111:f100:2002::8975:2d79/128, 2a01:111:f100:2002::8975:2da8/128, 2a01:111:f100:7000::6fdd:6cd5/128, 2a01:111:f100:a004::bfeb:88cf/128 | TCP: 443 |
78 | Default Optional Notes: Some Office 365 features require endpoints within these domains (including CDNs). Many specific FQDNs within these wildcards have been published recently as we work to either remove or better explain our guidance relating to these wildcards. | No | *.microsoft.com, *.msocdn.com, *.office.net, *.onmicrosoft.com | TCP: 443, 80 |
79 | Default Required | No | o15.officeredir.microsoft.com, officepreviewredir.microsoft.com, officeredir.microsoft.com, r.office.microsoft.com | TCP: 443, 80 |
80 | Default Required | No | ocws.officeapps.live.com | TCP: 443 |
81 | Default Required | No | odc.officeapps.live.com | TCP: 443, 80 |
82 | Default Required | No | roaming.officeapps.live.com | TCP: 443, 80 |
83 | Default Required | No | activation.sls.microsoft.com | TCP: 443 |
84 | Default Required | No | crl.microsoft.com | TCP: 443, 80 |
86 | Default Required | No | office15client.microsoft.com, officeclient.microsoft.com | TCP: 443 |
88 | Default Required | No | insertmedia.bing.office.net | TCP: 443, 80 |
89 | Default Required | No | go.microsoft.com, support.office.com | TCP: 443, 80 |
91 | Default Required | No | ajax.aspnetcdn.com | TCP: 443, 80 |
92 | Default Required | No | officecdn.microsoft.com, officecdn.microsoft.com.edgesuite.net | TCP: 443, 80 |
93 | Default Optional Notes: ProPlus: auxiliary URLs | No | *.virtualearth.net, ajax.microsoft.com, c.bing.net, excelbingmap.firstpartyapps.oaspapps.com, excelcs.officeapps.live.com, ocos-office365-s2s.msedge.net, omextemplates.content.office.net, peoplegraph.firstpartyapps.oaspapps.com, pptcs.officeapps.live.com, tse1.mm.bing.net, uci.officeapps.live.com, watson.microsoft.com, wikipedia.firstpartyapps.oaspapps.com, wordcs.officeapps.live.com, www.bing.com | TCP: 443, 80 |
95 | Default Optional Notes: Outlook for Android and iOS | No | *.acompli.net, *.outlookmobile.com | TCP: 443 |
96 | Default Optional Notes: Outlook for Android and iOS: Authentication | No | *.manage.microsoft.com, api.office.com, go.microsoft.com, login.windows-ppe.net, secure.aadcdn.microsoftonline-p.com, vortex.data.microsoft.com | TCP: 443 |
97 | Default Optional Notes: Outlook for Android and iOS: Consumer Outlook.com and OneDrive integration | No | account.live.com, apis.live.net, auth.gfx.ms, login.live.com | TCP: 443 |
98 | Default Optional Notes: Outlook for Android and iOS: Google integration | No | accounts.google.com, mail.google.com, www.googleapis.com | TCP: 443 |
99 | Default Optional Notes: Outlook for Android and iOS: Yahoo integration | No | api.login.yahoo.com, social.yahooapis.com | TCP: 443 |
100 | Default Optional Notes: Outlook for Android and iOS: DropBox integration | No | api.dropboxapi.com, www.dropbox.com | TCP: 443 |
101 | Default Optional Notes: Outlook for Android and iOS: Box integration | No | app.box.com | TCP: 443 |
102 | Default Optional Notes: Outlook for Android and iOS: Facebook integration | No | graph.facebook.com, m.facebook.com | TCP: 443 |
103 | Default Optional Notes: Outlook for Android and iOS: Evernote integration | No | www.evernote.com | TCP: 443 |
105 | Default Optional Notes: Outlook for Android and iOS: Outlook Privacy | No | bit.ly, www.acompli.com | TCP: 443 |
106 | Default Optional Notes: Outlook for Android and iOS: User voice integration | No | by.uservoice.com, outlook.uservoice.com | TCP: 443 |
109 | Default Optional Notes: Outlook for Android and iOS: Flurry log integration | No | data.flurry.com | TCP: 443 |
110 | Default Optional Notes: Outlook for Android and iOS: Adjust integration | No | app.adjust.com | TCP: 443 |
111 | Default Optional Notes: Outlook for Android and iOS: Hockey log integration | No | rink.hockeyapp.net, sdk.hockeyapp.net | TCP: 443 |
112 | Default Optional Notes: Outlook for Android and iOS: Helpshift integration | No | acompli.helpshift.com | TCP: 443 |
113 | Default Optional Notes: Outlook for Android and iOS: Play Store integration (Android only) | No | play.google.com | TCP: 443 |
114 | Default Optional Notes: Office Mobile URLs | No | *.appex.bing.com, *.appex-rf.msn.com, *.itunes.apple.com, c.bing.com, c.live.com, cl2.apple.com, d.docs.live.net, directory.services.live.com, docs.live.net, en-us.appex-rf.msn.com, foodanddrink.services.appex.bing.com, office.microsoft.com, partnerservices.getmicrosoftkey.com, sas.office.microsoft.com, signup.live.com, view.atdmt.com, watson.telemetry.microsoft.com, weather.tile.appex.bing.com | TCP: 443, 80 |
115 | Default Optional Notes: Outlook for Android and iOS: Meetup integration | No | api.meetup.com, secure.meetup.com | TCP: 443 |
116 | Default Optional Notes: Office for iPad URLs | No | account.live.com, auth.gfx.ms, c.bing.com, c.live.com, cl2.apple.com, directory.services.live.com, docs.live.net, en-us.appex-rf.msn.com, foodanddrink.services.appex.bing.com, go.microsoft.com, login.live.com, office.microsoft.com, p100-sandbox.itunes.apple.com, partnerservices.getmicrosoftkey.com, roaming.officeapps.live.com, sas.office.microsoft.com, signup.live.com, view.atdmt.com, watson.telemetry.microsoft.com, weather.tile.appex.bing.com | TCP: 443, 80 |
117 | Default Optional Notes: Yammer | No | *.yammer.com, *.yammerusercontent.com | TCP: 443 |
118 | Default Optional Notes: Yammer CDN | No | *.assets-yammer.com | TCP: 443 |
120 | Default Optional Notes: Planner CDNs | No | ajax.aspnetcdn.com | TCP: 443 |
121 | Default Optional Notes: Planner: auxiliary URLs | No | www.outlook.com | TCP: 443, 80 |
122 | Default Optional Notes: Sway CDNs | No | eus-www.sway-cdn.com, eus-www.sway-extensions.com, wus-www.sway-cdn.com, wus-www.sway-extensions.com | TCP: 443 |
123 | Default Optional Notes: Sway website analytics | No | www.google-analytics.com | TCP: 443 |
124 | Default Optional Notes: Sway | No | sway.com, www.sway.com | TCP: 443 |
125 | Default Required | No | *.entrust.net, *.geotrust.com, *.omniroot.com, *.public-trust.com, *.symcb.com, *.symcd.com, *.verisign.com, *.verisign.net, apps.identrust.com, cacerts.digicert.com, cert.int-x3.letsencrypt.org, crl.globalsign.com, crl.globalsign.net, crl.identrust.com, crl.microsoft.com, crl3.digicert.com, crl4.digicert.com, isrg.trustid.ocsp.identrust.com, mscrl.microsoft.com, ocsp.digicert.com, ocsp.globalsign.com, ocsp.msocsp.com, ocsp2.globalsign.com, ocspx.digicert.com, secure.globalsign.com, www.digicert.com, www.microsoft.com | TCP: 443, 80 |
126 | Default Optional Notes: Connection to the speech service is required for Office Dictation features. If connectivity is not allowed, Dictation will be disabled. | No | officespeech.platform.bing.com | TCP: 443 |
128 | Default Required | No | *.config.office.net, *.manage.microsoft.com | TCP: 443 |
147 | Default Required | No | *.office.com | TCP: 443, 80 |
148 | Default Required | No | cdnprod.myanalytics.microsoft.com, myanalytics.microsoft.com, myanalytics-gcc.microsoft.com | TCP: 443, 80 |
149 | Default Required | No | workplaceanalytics.cdn.office.net, workplaceanalytics.office.com | TCP: 443, 80 |
150 | Default Optional Notes: Blocking these endpoints will affect the ability to access the Office 365 ProPlus deployment and management features via the portal. | No | *.officeconfig.msocdn.com | TCP: 443 |
152 | Default Optional Notes: These endpoints enables the Office Scripts functionality in Office clients available through the Automate tab. This feature can also be disabled through the Office 365 Admin portal. | No | *.microsoftusercontent.com | TCP: 443 |
153 | Default Required | No | *.azure-apim.net, *.flow.microsoft.com, *.powerapps.com | TCP: 443 |
156 | Default Required | No | activity.windows.com | TCP: 443 |
157 | Default Required | No | ocsp.int-x3.letsencrypt.org | TCP: 80 |
Note
For recommendations on Yammer IP addresses and URLs, see Using hard-coded IP addresses for Yammer is not recommended on the Yammer blog.