← Back
Reminder: Update firewall configurations to include new network endpoints
MC1183282 · build prod-20251231-200323
Category
planForChange
Severity
normal
Major change
False
Last modified
2025-11-06 00:00:30
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
2025-12-02 08:00:00
Action by (AI)
Services
Basic Mobility and Security
Tags
User impact, Admin impact
Master tags
Network
Roadmap IDs

One-line summary

Starting December 2, 2025, Intune network endpoints will use Azure Front Door IPs; update firewall allowlists to include 'AzureFrontDoor.MicrosoftSecurity' tag for continued connectivity.

Similar updates

More like this
MC1150664 Action Required: Update firewall configurations to include new network endpoints
Action Required: Update firewall configurations to include new network endpoints Starting December 2, 2025, Intune and Basic Mobility endpoints will use Azure Front Door IPs; update firewall allowlists to include AzureFrontDoor.MicrosoftSecurity ranges. As part of Microsoft’s ongoing Secure Future Initiative (SFI) , starting on or shortly after .
MC1194061 IP address changes in Defender for Identity v2.x sensor communication
IP address changes in Defender for Identity v2.x sensor communication Defender for Identity v2.x sensors will use new IPs from the AzureAdvancedThreatProtection range starting mid-December 2025; update firewall rules if restricting outbound IPs. [Introduction] As part of ongoing infrastructure and security improvements, Microsoft Defender for.
MC1133508 (Updated) Microsoft Teams Integration with Microsoft Defender for Office Tenant Allow/Block List for blocking domains
This feature, available with Defender... Updated December 16, 2025: We have updated the timeline. Thank you for your patience. Introduction We're introducing a new integration between Microsoft Teams and Microsoft Defender for Office 365 that enables security admins to manage blocked external domains in Teams using the Tenant Allow/Block List.
MC1183612 Action Required to Enable Extended Security Update for local devices accessing Windows 365
Action Required to Enable Extended Security Update for local devices accessing Windows 365 Admins must deploy a custom policy via Intune or MDM to enable Windows 10 ESU for Windows 365 Cloud PCs before November 11, 2025, to receive the November security update. Windows 10 devices accessing Windows 365 Enterprise Cloud PCs and Windows 365.
MC1126219 Windows 11 cloud-native migration with Microsoft Intune
Windows 11 cloud-native migration with Microsoft Intune Admins should migrate Windows 10 domain-joined or hybrid Windows 11 devices to Microsoft Entra joined with Intune before Windows 10 support ends on October 14, 2025. Follow 5 steps to turn your Windows 10 domain-joined and co-managed devices to Microsoft Entra joined with Microsoft Intune..
MC1193371 How to use Microsoft Intune to update expiring Secure Boot certificates
How to use Microsoft Intune to update expiring Secure Boot certificates Intune now supports deploying and managing Secure Boot certificate updates for Windows clients, offering an alternative to registry and Group Policy methods. New settings are available but disabled by default. You can now deploy, manage, and monitor Secure Boot certificate.

Details

Summary
By December 2, 2025, update firewall allowlists to include Azure Front Door IP addresses tagged “AzureFrontDoor.MicrosoftSecurity” for Microsoft Intune and Basic Mobility and Security. Do not remove existing endpoints. Use the consolidated Intune endpoint list; previous scripts are outdated. Notify your networking team if needed.

Body (from Message Center)

As mentioned in MC1150664, as part of Microsoft’s ongoing Secure Future Initiative (SFI), starting on or shortly after December 2, 2025, the network service endpoints for Microsoft Intune will also use the Azure Front Door IP addresses. Since Basic Mobility and Security for Microsoft 365 uses Intune infrastructure, customers may need to add Azure Front Door IP addresses, if using a firewall allowlist that allows outbound traffic based on IP addresses or Azure service tags.

Do not remove any existing network endpoints required for Basic Mobility and Security for Microsoft 365. Additional network endpoints are documented as part of the Azure Front Door and service tags information referenced in the files linked below:

The additional ranges are those listed in the JSON files linked above and can be found by searching for “AzureFrontDoor.MicrosoftSecurity”.

[How this will affect your organization:]

If you have configured an outbound traffic policy for IP address ranges or Azure service tags for your firewalls, routers, proxy servers, client-based firewalls, VPN or network security groups, you will need to update them to include the new Azure Front Door ranges with the “AzureFrontDoor.MicrosoftSecurity” tag. 

Note: The previously available PowerShell scripts for retrieving Microsoft Intune endpoint IP addresses and FQDNs no longer returns accurate data from the Office 365 Endpoint service. Instead, use the consolidated list provided in the Intune endpoints documentation. Using the original scripts or endpoint lists from the Office 365 Endpoint service is insufficient and may lead to incorrect configurations.

[What you need to do to prepare:]

Ensure that your firewall rules are updated and added to your firewall’s allowlist with the additional IP addresses documented under Azure Front Door by December 2, 2025

Alternatively, you may add the service tag “AzureFrontDoor.MicrosoftSecurity” to your firewall rules to allow outbound traffic on port 443 for the addresses in the tag. 

If you are not the IT admin who can make this change, notify your networking team. If you are responsible for configuring internet traffic, refer to the following documentation for more details:

For network best practices, make sure to check out the blog: Support tip: Aligning network policy with Intune and Zero Trust

If you have a helpdesk, inform them about this upcoming change. If you need additional assistance, contact Microsoft Support and refer to this message center post.

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": "2025-12-02T08:00:00Z",
    "ai_action_required_by": null,
    "ai_actions": [
      "Update firewall allowlists with Azure Front Door IPs",
      "Add \u0027AzureFrontDoor.MicrosoftSecurity\u0027 service tag to outbound rules",
      "Notify networking team and helpdesk",
      "Stop using old PowerShell scripts for endpoint IPs"
    ],
    "ai_master_tags": [
      "Network"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Starting December 2, 2025, Intune network endpoints will use Azure Front Door IPs; update firewall allowlists to include \u0027AzureFrontDoor.MicrosoftSecurity\u0027 tag for continued connectivity.",
    "ai_topics": [
      "Basic Mobility and Security",
      "Intune",
      "Microsoft 365"
    ],
    "category": "planForChange",
    "details_map": {
      "Summary": "By December 2, 2025, update firewall allowlists to include Azure Front Door IP addresses tagged \u201cAzureFrontDoor.MicrosoftSecurity\u201d for Microsoft Intune and Basic Mobility and Security. Do not remove existing endpoints. Use the consolidated Intune endpoint list; previous scripts are outdated. Notify your networking team if needed."
    },
    "id": "MC1183282",
    "importance": 5,
    "is_major_change": false,
    "last_modified": "2025-11-06T00:00:30Z",
    "ms_products": [
      "Basic Mobility and Security"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Basic Mobility and Security"
    ],
    "severity": "normal",
    "tags": [
      "User impact",
      "Admin impact"
    ],
    "title": "Reminder: Update firewall configurations to include new network endpoints"
  }
}