There are a number of features in Microsoft 365 that do not work if SSL Inspection (also known as TLS Interception) is enabled on your device or network provider. You need to disable the listed URLs that Microsoft provides in its documentation. The problem is there is a lot of disconnected documentation!
This blog post was written with the help of AI (Copilot in Edge).
So as there is not one list, I thought I would compile one here. This was last updated November 2023 and could be out of date. Please check the sources for more, and let me know in the comments if you find other URLs that should bypass SSL Inspection.
To ensure optimal performance and avoid connectivity issues, Microsoft recommends bypassing SSL decryption for the Optimize and Allow endpoint categories of Microsoft 365
Microsoft have a list of URLs for the endpoints to their service, where they are categorised as Default, Allow or Optimize. The URLs that are Allow or Optimize are incompatible with SSL inspection.
The endpoint list is found at https://support.office.com/en-us/article/managing-office-365-endpoints-99cab9d4-ef59-4207-9f2b-3728eb46bf9a#webservice and the JSON for this can be downloaded, as well as a PowerShell script to return the IPs and URLs.
- Office 365 URLs (and IPs for Teams):
- outlook.office.com
- outlook.office365.com
*.sharepoint.com- “13.107.64.0/18”, “52.112.0.0/14”, “52.122.0.0/15”, “2603:1063::/38”
- smtp.office365.com
- *.protection.outlook.com
- *.lync.com
- *.teams.microsoft.com
- teams.microsoft.com
- *.officeapps.live.com
- *.online.office.com
- office.live.com
- *.auth.microsoft.com
- *.msftidentity.com
- *.msidentity.com
- account.activedirectory.windowsazure.com
- accounts.accesscontrol.windows.net
- adminwebservice.microsoftonline.com
- api.passwordreset.microsoftonline.com
- autologon.microsoftazuread-sso.com
- becws.microsoftonline.com
- ccs.login.microsoftonline.com
- clientconfig.microsoftonline-p.net
- companymanager.microsoftonline.com
- device.login.microsoftonline.com
- graph.microsoft.com
- graph.windows.net
- login.microsoft.com
- login.microsoftonline.com
- login.microsoftonline-p.com
- login.windows.net
- logincert.microsoftonline.com
- loginex.microsoftonline.com
- login-us.microsoftonline.com
- nexus.microsoftonline-p.com
- passwordreset.microsoftonline.com
- provisioningapi.microsoftonline.com
- *.compliance.microsoft.com
- *.protection.office.com
- *.security.microsoft.com
- compliance.microsoft.com
- defender.microsoft.com
- protection.office.com
- security.microsoft.com
- Your organization’s Security Token Service (STS) (For federated domains)
- Intune:
- manage.microsoft.com
- a.manage.microsoft.com
- *.dm.microsoft.com
- Defender and Defender for Endpoint
- *.dm.microsoft.com
- All the URLs at Configure and validate Microsoft Defender Antivirus network connections with the exception of the *.blob.core.windows.net which should not bypass inspection.
- Microsoft Entra Private Access
- *.msappproxy.net
- *.servicebus.windows.net
- And for setting up Entra Private Access connectors on-premises you need the URLs listed at How to configure connectors for Microsoft Entra Private Access – Global Secure Access
- Windows 365
- A very long list of URLs found at Network requirements for Windows 365
Microsoft have a test tool for SSL Break and Inspect meeting the recommendations published at https://connectivity.office.com. It will test all Optimize and Allow category endpoints and list any which have SSL Break and Inspect.
Use the Test Device Registration Connectivity script to validate if your devices can access the required Microsoft resources under the system account.
Photo by Markus Spiske: https://www.pexels.com/photo/light-road-landscape-sign-226460/
Leave a Reply