Whitelist inbound office365 IP addresses

Dan Boyle
Dan Boyle used Ask the Experts™
on
Is there a definitive list of inbound Office365 IP addresses that will try to connect to our WAP server (in a DMZ) that is going to be used for ADFS? The security team are asking whether it is possible to lock down what IP addresses can connect to the server at a firewall level, or is this not achievable?

I am new to ADFS and O365
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
Commented:
Your security team is probably NOT going to like the exercise, but this article from Microsoft should prove quite helpful as it contains information for various O365 services: https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2
btanExec Consultant
Distinguished Expert 2018
Commented:
you probably see this list in use
If you’re using Active Directory Federation Services (AD FS) with your deployment, you can also use AD FS client access policies with Windows Server 2012 R2 or client access policies with AD FS 2.0 to further restrict and control access to Office 365.

under the "Authentication and identity" section, there is the list of IP
https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US

good to note
WARNING: IP addresses filtering alone isn’t a complete solution due to dependencies on internet based services such as Domain Name Services, Content Delivery Networks (CDNs), Certificate Revocation Lists, and other third party or dynamic services. These dependencies include dependencies on other Microsoft services such as the Azure Content Delivery Network and will result in network traces or firewall logs indicating connections to IP addresses owned by third parties or Microsoft but not listed on this page. These unlisted IP addresses, whether from third party or Microsoft owned CDN and DNS services are dynamically assigned and can change at any time.

Author

Commented:
I think they are after a list of IP addresses that will be connecting to us, rather than what we will be connecting to in this instance - is there a definitive list?
OWASP: Avoiding Hacker Tricks

Learn to build secure applications from the mindset of the hacker and avoid being exploited.

Distinguished Expert 2018
Commented:
The problem is you're not going to get every single one for reasons that btan has actually given (and while I didn't mention it, that is partly why I pointed out that your security team isn't going to like the exercise, the other reason being the sheer number of IPs that are involved). So no, there's not going to be an entirely exhaustive list.
btanExec Consultant
Distinguished Expert 2018
Commented:
Agree with masnrock. There is no such definitive list but there is some list as shared by both of us. The security need to be savvy that these service goes through proxies as well and not necessary be fixed. Let them know this is not going to be fruitful and instead they should run the service and track from audit log and set a baseline what is the known sources ...inspect the SSL certificate etc
Distinguished Expert 2018

Commented:
Answered

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial