← Back
Action Required: Update firewall configurations to include new network endpoints
MC1150664 · build prod-20251231-200323
Category
planForChange
Severity
normal
Major change
False
Last modified
2025-09-09 23:10:12
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
2025-12-01 08:00:00
Action by (AI)
Services
Basic Mobility and Security
Tags
User impact, Admin impact
Master tags
Network
Roadmap IDs

One-line summary

Starting December 2, 2025, Intune and Basic Mobility endpoints will use Azure Front Door IPs; update firewall allowlists to include AzureFrontDoor.MicrosoftSecurity ranges.

Similar updates

More like this
MC1183282 Reminder: Update firewall configurations to include new network endpoints
Reminder: Update firewall configurations to include new network endpoints Starting December 2, 2025, Intune network endpoints will use Azure Front Door IPs; update firewall allowlists to include 'AzureFrontDoor.MicrosoftSecurity' tag for continued connectivity. As mentioned in MC1150664, as part of Microsoft’s ongoing Secure Future Initiative.
MC1194061 IP address changes in Defender for Identity v2.x sensor communication
IP address changes in Defender for Identity v2.x sensor communication Defender for Identity v2.x sensors will use new IPs from the AzureAdvancedThreatProtection range starting mid-December 2025; update firewall rules if restricting outbound IPs. [Introduction] As part of ongoing infrastructure and security improvements, Microsoft Defender for.
MC1193371 How to use Microsoft Intune to update expiring Secure Boot certificates
How to use Microsoft Intune to update expiring Secure Boot certificates Intune now supports deploying and managing Secure Boot certificate updates for Windows clients, offering an alternative to registry and Group Policy methods. New settings are available but disabled by default. You can now deploy, manage, and monitor Secure Boot certificate.
MC1183612 Action Required to Enable Extended Security Update for local devices accessing Windows 365
Action Required to Enable Extended Security Update for local devices accessing Windows 365 Admins must deploy a custom policy via Intune or MDM to enable Windows 10 ESU for Windows 365 Cloud PCs before November 11, 2025, to receive the November security update. Windows 10 devices accessing Windows 365 Enterprise Cloud PCs and Windows 365.
MC1126219 Windows 11 cloud-native migration with Microsoft Intune
Windows 11 cloud-native migration with Microsoft Intune Admins should migrate Windows 10 domain-joined or hybrid Windows 11 devices to Microsoft Entra joined with Intune before Windows 10 support ends on October 14, 2025. Follow 5 steps to turn your Windows 10 domain-joined and co-managed devices to Microsoft Entra joined with Microsoft Intune..
MC665936 (Updated) Device Management Changes for Microsoft Teams Android Devices (Intune AOSP migration)
(Updated) Device Management Changes for Microsoft Teams Android Devices (Intune AOSP migration) Teams Android devices are migrating to Android AOSP management via firmware updates, requiring new Intune policies; auto-updates began May 15, 2025 and can be deferred for 60 days. Earlier this year, the new Microsoft device ecosystem platform built on.

Details

Summary
By December 2, 2025, update firewall allowlists to include Azure Front Door IP addresses or the service tag "AzureFrontDoor.MicrosoftSecurity" for Microsoft Intune and Basic Mobility and Security for Microsoft 365. Do not remove existing endpoints; add new ranges from the provided Azure IP range files.

Body (from Message Center)

As part of Microsoft’s ongoing Secure Future Initiative (SFI), starting on or shortly after December 2, 2025, the network service endpoints for Microsoft Intune will also use the Azure Front Door IP addresses. Since Basic Mobility and Security for Microsoft 365 uses Intune infrastructure, customers may need to add Azure Front Door IP addresses, if using a firewall allowlist that allows outbound traffic based on IP addresses or Azure service tags.

Do not remove any existing network endpoints required for Basic Mobility and Security for Microsoft 365. Additional network endpoints are documented as part of the Azure Front Door and service tags information referenced in the files linked below:

The additional ranges are those listed in the JSON files linked above and can be found by searching for “AzureFrontDoor.MicrosoftSecurity”.

[How this will affect your organization:]

If you have configured an outbound traffic policy for IP address ranges or Azure service tags for your firewalls, routers, proxy servers, client-based firewalls, VPN or network security groups, you will need to update them to include the new Azure Front Door ranges with the “AzureFrontDoor.MicrosoftSecurity” tag. 

[What you need to do to prepare:]

Ensure that your firewall rules are updated and added to your firewall’s allowlist with the additional IP addresses documented under Azure Front Door by December 2, 2025

Alternatively, you may add the service tag “AzureFrontDoor.MicrosoftSecurity” to your firewall rules to allow outbound traffic on port 443 for the addresses in the tag. 

If you are not the IT admin who can make this change, notify your networking team. If you are responsible for configuring internet traffic, refer to the following documentation for more details:

If you have a helpdesk, inform them about this upcoming change. If you need additional assistance, contact Microsoft Support and refer to this message center post.

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": "2025-12-01T08:00:00Z",
    "ai_action_required_by": null,
    "ai_actions": [
      "Update firewall allowlists with Azure Front Door IPs",
      "Add AzureFrontDoor.MicrosoftSecurity service tag to firewall rules",
      "Notify networking team and helpdesk"
    ],
    "ai_master_tags": [
      "Network"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Starting December 2, 2025, Intune and Basic Mobility endpoints will use Azure Front Door IPs; update firewall allowlists to include AzureFrontDoor.MicrosoftSecurity ranges.",
    "ai_topics": [
      "Basic Mobility and Security",
      "Intune",
      "Microsoft 365"
    ],
    "category": "planForChange",
    "details_map": {
      "Summary": "By December 2, 2025, update firewall allowlists to include Azure Front Door IP addresses or the service tag \"AzureFrontDoor.MicrosoftSecurity\" for Microsoft Intune and Basic Mobility and Security for Microsoft 365. Do not remove existing endpoints; add new ranges from the provided Azure IP range files."
    },
    "id": "MC1150664",
    "importance": 4,
    "is_major_change": false,
    "last_modified": "2025-09-09T23:10:12Z",
    "ms_products": [
      "Basic Mobility and Security"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Basic Mobility and Security"
    ],
    "severity": "normal",
    "tags": [
      "User impact",
      "Admin impact"
    ],
    "title": "Action Required: Update firewall configurations to include new network endpoints"
  }
}