Whitelist inbound office365 IP addresses

Is there a definitive list of inbound Office365 IP addresses that will try to connect to our WAP server (in a DMZ) that is going to be used for ADFS? The security team are asking whether it is possible to lock down what IP addresses can connect to the server at a firewall level, or is this not achievable?

I am new to ADFS and O365
Dan BoyleAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Your security team is probably NOT going to like the exercise, but this article from Microsoft should prove quite helpful as it contains information for various O365 services: https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
you probably see this list in use
If you’re using Active Directory Federation Services (AD FS) with your deployment, you can also use AD FS client access policies with Windows Server 2012 R2 or client access policies with AD FS 2.0 to further restrict and control access to Office 365.

under the "Authentication and identity" section, there is the list of IP

good to note
WARNING: IP addresses filtering alone isn’t a complete solution due to dependencies on internet based services such as Domain Name Services, Content Delivery Networks (CDNs), Certificate Revocation Lists, and other third party or dynamic services. These dependencies include dependencies on other Microsoft services such as the Azure Content Delivery Network and will result in network traces or firewall logs indicating connections to IP addresses owned by third parties or Microsoft but not listed on this page. These unlisted IP addresses, whether from third party or Microsoft owned CDN and DNS services are dynamically assigned and can change at any time.
Dan BoyleAuthor Commented:
I think they are after a list of IP addresses that will be connecting to us, rather than what we will be connecting to in this instance - is there a definitive list?
 Acronis Global Cyber Summit 2019 in Miami

The Acronis Global Cyber Summit 2019 will be held at the Fontainebleau Miami Beach Resort on October 13–16, 2019, and it promises to be the must-attend event for IT infrastructure managers, CIOs, service providers, value-added resellers, ISVs, and developers.

The problem is you're not going to get every single one for reasons that btan has actually given (and while I didn't mention it, that is partly why I pointed out that your security team isn't going to like the exercise, the other reason being the sheer number of IPs that are involved). So no, there's not going to be an entirely exhaustive list.
btanExec ConsultantCommented:
Agree with masnrock. There is no such definitive list but there is some list as shared by both of us. The security need to be savvy that these service goes through proxies as well and not necessary be fixed. Let them know this is not going to be fruitful and instead they should run the service and track from audit log and set a baseline what is the known sources ...inspect the SSL certificate etc
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.