Microsoft 365 Message Center Archive

MC1020209 - Action Required - Microsoft Defender for Cloud Apps Network Configurations Changes

Message ID

MC1020209

View in Message Center

Service

Microsoft Defender XDR

Published

Feb 28, 2025

Tag

Major change
Admin impact

Act by

Mar 27, 2025

Summary

Update your firewall rules to allow outbound traffic on port 443 to new CDN endpoints and specific IP addresses by March 27, 2025, to ensure uninterrupted access to Microsoft Defender for Cloud Apps. Detailed instructions and required IP addresses are available in the provided documentation links.

More information

Due to ongoing work on Microsoft Defender for Cloud Apps aimed at improving security and performance, you are required to update network information in your system's firewall and additional third-party services by the dates noted below.

When this will happen:

Please follow these instructions by March 27, 2025, to ensure uninterrupted access to our services.

How this affects your organization:

You are receiving this message because our reporting indicates your organization may be using Microsoft Defender for Cloud Apps. Administrators may no longer be able to access Microsoft Defender for Cloud Apps services if the changes listed below are not completed by March 27, 2025, when this change is implemented.

What you need to do to prepare:

Please update your firewall rules to allow outbound traffic on port 443 to the new CDN endpoints before March 27, 2025:

  • cdn.cloudappsecurity.com
  • cdn-discovery.cloudappsecurity.com

All required outbound access URLs can also be found in Defender for Cloud Apps network requirements page under 'Portal Access'

To use Defender for Cloud Apps in the Microsoft Defender Portal, make sure you add outbound port 443 for all IP addresses and DNS names listed in our documentation to your firewall's allowlist.

To connect to third-party apps, enable Defender for Cloud Apps to connect from these IP addresses, also available in our documentation:

  • US1: 23.101.201.123, 20.228.186.154
  • US2: 20.15.114.156, 172.202.90.196
  • US3: 20.3.226.231, 4.255.218.227
  • EU1: 20.71.203.39, 137.116.224.49
  • EU2: 20.0.210.84, 20.90.9.64

For US Government GCC and GCC High customers, to ensure the proper function of access controls, the following IP addresses used by our reverse proxy regions should be added to the allow list for both inbound and outbound connections:

  • US Government GCC High:
    • 52.235.156.231
    • 52.235.156.197
    • 52.235.157.183
    • 52.235.156.9
    • 52.235.156.225
    • 52.235.157.175
    • 52.235.157.131
    • 52.235.157.11
    • 52.126.39.112
    • 52.235.156.151
  • US Government GCC:
    • 52.126.33.153
    • 52.126.39.65
    • 52.235.138.253
    • 52.235.139.4
    • 52.235.139.36
    • 52.235.139.75
    • 52.235.139.92
    • 52.235.139.103
    • 52.235.139.134
    • 52.235.139.141

To stay up to date on IP ranges that impact the experiences in Microsoft Defender for Cloud Apps in the areas of portal experience access, access and session controls, SIEM agent connection, app connectors, mail server, and log collector, it's recommended to refer to the Microsoft Azure service tag documentation. The latest IP ranges for Microsoft Defender for Cloud Apps services are found in the service tag 'MicrosoftCloudAppSecurity'. For more information, Virtual network service tags. 

When this change takes effect, you will not need to take any action if you have followed the instructions above.

Learn more: Network requirements