Action Required: Update firewall configurations to include new Intune network endpoints

By December 2, 2025, update firewall rules to include new Azure Front Door IP ranges (tagged “AzureFrontDoor.MicrosoftSecurity”) for Microsoft Intune. This ensures uninterrupted device and app management connectivity. Keep existing Intune endpoints and notify your IT/network team to implement these changes. As part of Microsoft’s ongoing Secure Future Initiative (SFI), starting on or shortly after December 2, 2025, the network service endpoints for Microsoft Intune will also use the Azure Front Door IP addresses. This improvement supports better alignment with modern security practices and over time will make it easier for organizations using multiple Microsoft products to manage and maintain their firewall configurations. As a result, customers may be required to add these network (firewall) configurations in third-party applications to enable proper function of Intune device and app management. This change will affect customers using a firewall allowlist that allows outbound traffic based on IP addresses or Azure service tags. Do not remove any existing network endpoints required for Microsoft Intune. Additional network endpoints are documented as part of the Azure Front Door and service tags information referenced in the files linked below: Public clouds: Download Azure IP Ranges and Service Tags – Public Cloud from Official Microsoft Download Center  Government clouds: Download Azure IP Ranges and Service Tags – US Government Cloud from Official Microsoft Download Center  The additional ranges are those listed in the JSON files linked above and can be found by searching for “AzureFrontDoor.MicrosoftSecurity”. How this will affect your organization: If you have configured an outbound traffic policy for Intune IP address ranges or Azure service tags for your firewalls, routers, proxy servers, client-based firewalls, VPN or network security groups, you will need to update them to include the new Azure Front Door ranges with the “AzureFrontDoor.MicrosoftSecurity” tag.  Intune requires internet access for devices under Intune management, whether for mobile device management or mobile application management. If your outbound traffic policy doesn’t include the new Azure Front Door IP address ranges, users may face login issues, devices might lose connectivity with Intune, and access to apps like the Intune Company Portal or those protected by app protection policies […]

The post Action Required: Update firewall configurations to include new Intune network endpoints appeared first on M365 Admin.