Brian Reid – Microsoft 365 Subject Matter Expert

SSL Inspection and Microsoft 365

There are a number of features in Microsoft 365 that do not work if SSL Inspection (also known as TLS Interception) is enabled on your device or network provider. You need to disable the listed URLs that Microsoft provides in its documentation. The problem is there is a lot of disconnected documentation!

This blog post was written with the help of AI (Copilot in Edge).

So as there is not one list, I thought I would compile one here. This was last updated October 2025 and could be out of date. Please check the sources for more, and let me know in the comments if you find other URLs that should bypass SSL Inspection.

To ensure optimal performance and avoid connectivity issues, Microsoft recommends bypassing SSL decryption for the Optimize and Allow endpoint categories of Microsoft 365

Microsoft have a list of URLs for the endpoints to their service, where they are categorised as Default, Allow or Optimize. The URLs that are Allow or Optimize are incompatible with SSL inspection.

The endpoint list is found at https://support.office.com/en-us/article/managing-office-365-endpoints-99cab9d4-ef59-4207-9f2b-3728eb46bf9a#webservice and the JSON for this can be downloaded, as well as a PowerShell script to return the IPs and URLs.

  1. Microsoft 365 Unified Domains
    • *.cloud.microsoft (note, none of these end .com, so these are not microsoft.com domains, but Microsoft’s own top level domain).
    • *.static.microsoft
    • *.usercontent.microsoft
  2. Office 365 URLs (and IPs for Teams):
    • Very long list of domains and IP addresses. Click the link in this title for the latest list
  3. Entra Hybrid Device Join
    • https://device.login.microsoftonline.com
    • https://enterpriseregistration.windows.net
  4. Intune:
    • *.manage.microsoft.com
    • *.dm.microsoft.com
  5. Microsoft Azure Attestation endpoints
    • If you use the Windows Compliance policy – Device Health settings for Windows 11 (not Windows 10) then the Microsoft Azure Attestation service is used.
    • These are location based and so not listed here. Follow the link and add the URLs for your Intune region.
  6. Windows 365

Microsoft have a test tool for SSL Break and Inspect meeting the recommendations published at https://connectivity.office.com. It will test all Optimize and Allow category endpoints and list any which have SSL Break and Inspect.

Use the Test Device Registration Connectivity script to validate if your devices can access the required Microsoft resources under the system account.

Photo by Markus Spiske: https://www.pexels.com/photo/light-road-landscape-sign-226460/

Posted

in

, , , , , , , , , , , , ,

by

Brian Reid

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.