Required Microsoft 365 URLs, Endpoints, and Network Requirements for Migration
A successful Microsoft 365 mailbox migration depends not only on the migration tool but also on proper network connectivity. Whether you are performing an EdbMails Office 365 migration Tool, communication must occur seamlessly between the source environment, Microsoft 365 services, authentication endpoints, and Exchange Online APIs. If firewalls, proxy servers, web filters, or security gateways block the required Microsoft 365 endpoints, migration jobs may fail, experience delays, or encounter authentication and connectivity issues.
Microsoft publishes an official list of Microsoft 365 endpoints that administrators should allow before starting any migration project. Because these endpoints are updated periodically, it is important to verify the latest Microsoft recommendations before configuring firewall, proxy, or network security policies.
This article explains the Microsoft 365 IP addresses and URLs commonly required during mailbox migration, why they are important, and the network configuration best practices that help ensure a successful migration.
Why Microsoft 365 IP Addresses and URLs Are Required
Mailbox migration involves secure communication with several Microsoft cloud services. Each service performs a specific function during authentication, mailbox access, and data transfer.
Administrators must ensure that network devices permit access to the required Microsoft 365 endpoints for:
- User authentication.
- Exchange Online mailbox connectivity.
- Microsoft Graph API communication.
- Autodiscover service requests.
- Microsoft Entra ID authentication.
- DNS name resolution.
- Secure HTTPS communication.
- Migration API requests.
Blocking any of these services can interrupt mailbox discovery, authentication, or data synchronization.
Microsoft 365 Services Used During Migration
Exchange Online
Exchange Online is the primary destination for mailbox data during Microsoft 365 migration.
It is responsible for:
- Mailbox access.
- Folder synchronization.
- Email migration.
- Calendar migration.
- Contacts migration.
- Public folder communication (where applicable).
If Exchange Online endpoints are unavailable, migration software cannot access or write mailbox data.
Microsoft Graph
Microsoft Graph provides a unified API for Microsoft 365 services and is commonly used for modern authentication and Microsoft 365 resource access.
Depending on the migration scenario, Microsoft Graph may be used for:
- User validation.
- Permission verification.
- Microsoft 365 object access.
- Administrative operations.
Blocking Graph endpoints may result in API authentication or authorization failures.
Microsoft Entra ID (Azure AD)
Microsoft Entra ID authenticates users, administrators, and applications accessing Microsoft 365.
During migration, it handles:
- OAuth authentication.
- Token issuance.
- User sign-in.
- Identity verification.
- Application authentication.
If authentication endpoints are blocked, migration sessions cannot be established.
Autodiscover
The Autodiscover service enables migration software to automatically locate Exchange Online mailbox services.
Autodiscover simplifies:
- Mailbox discovery.
- Exchange Web Services configuration.
- Service endpoint detection.
If Autodiscover cannot be reached, mailbox connection attempts may fail.
Outlook Connectivity
Outlook connectivity services allow client applications and migration tools to communicate with Exchange Online.
These services assist in:
- Mailbox connectivity.
- Service discovery.
- Profile configuration.
Connectivity issues may cause intermittent migration failures.
SMTP Services
SMTP is primarily used for email transport rather than mailbox migration. However, organizations may require SMTP connectivity when validating mail flow or performing post-migration testing.
Blocking SMTP endpoints generally does not stop mailbox migration but may affect email delivery verification.
HTTPS Communication
Nearly all Microsoft 365 migration traffic is transmitted over HTTPS using TCP port 443.
HTTPS is required for:
- Authentication.
- Exchange Online communication.
- Microsoft Graph.
- Autodiscover.
- Administrative APIs.
Any interruption to HTTPS communication can prevent successful migration.
Required Microsoft 365 URLs
Microsoft recommends allowing Microsoft 365 URLs rather than relying solely on IP addresses.
Common Microsoft 365 URLs include:
| URL | Purpose | Required? |
| https://login.microsoftonline.com | Microsoft Entra ID authentication and OAuth token issuance | Yes |
| https://graph.microsoft.com | Microsoft Graph API for tenant and mailbox operations | Yes |
| https://outlook.office365.com | Exchange Online mailbox connectivity | Yes |
| https://outlook.office.com | Exchange Online service endpoint used by Microsoft 365 | Yes |
| https://autodiscover.outlook.com | Automatically discovers mailbox configuration | Yes |
| https://office.com | Microsoft 365 service discovery and sign-in workflows | Recommended |
| https://login.live.com | Required only in specific authentication scenarios involving Microsoft personal accounts | Optional |
Wildcard entries help accommodate Microsoft's cloud architecture, where individual service endpoints may change over time.
Administrators should always verify the latest endpoint information using Microsoft's official Microsoft 365 endpoint documentation before implementing firewall or proxy rules.
Firewall and Proxy Configuration Best Practices
Before beginning a migration, review network security policies to ensure Microsoft 365 traffic is not interrupted.
Recommended practices include:
- Allow outbound HTTPS traffic over TCP port 443.
- Exclude Microsoft 365 endpoints from SSL or TLS inspection where organizational policies permit.
- Avoid deep packet inspection on Microsoft 365 traffic if it introduces latency or connection resets.
- Ensure proxy authentication does not interfere with migration software.
- Permit DNS resolution for Microsoft 365 services.
- Review web filtering policies to prevent blocking Microsoft endpoints.
- Verify sufficient network bandwidth for large mailbox migrations.
- Minimize network latency between migration servers and Microsoft 365.
Proper firewall and proxy configuration reduces connection interruptions and improves migration performance.
Common Migration Issues Caused by Blocked Endpoints
Incorrect network configuration can produce a variety of migration problems.
Common symptoms include:
- Authentication failures.
- Mailbox connection errors.
- Autodiscover failures.
- HTTPS connection timeouts.
- Connection resets.
- Slow mailbox synchronization.
- Microsoft Graph API errors.
- Intermittent migration failures.
- Excessive retry attempts.
- Migration job interruptions.
Reviewing firewall logs, proxy logs, and migration reports can help identify blocked Microsoft 365 endpoints.
Microsoft Endpoint Verification
Microsoft regularly updates Microsoft 365 service endpoints to support new features, improve scalability, and enhance security.
Before every migration project, administrators should:
- Review Microsoft's latest endpoint documentation.
- Confirm required URLs are allowed.
- Check endpoint changes before large migration projects.
- Test connectivity from the migration server.
Keeping endpoint information up to date helps prevent unexpected connectivity issues during migration.
Best Practices Before Migration
Before starting mailbox migration:
- Verify firewall rules.
- Review proxy configuration.
- Allow all required Microsoft 365 URLs.
- Confirm DNS resolution is functioning correctly.
- Test HTTPS connectivity.
- Validate Microsoft Entra ID authentication.
- Perform a pilot migration with a small group of mailboxes.
- Monitor migration logs throughout the migration process.
- Review network performance and bandwidth utilization.
- Keep Microsoft endpoint information up to date.
Following these practices reduces migration risks and helps ensure consistent connectivity throughout the project.
How EdbMails Helps Simplify Microsoft 365 Migrations
EdbMails is designed to work with Microsoft's recommended authentication and connectivity methods for Microsoft 365 migrations. Before starting a migration, ensure that the required Microsoft 365 URLs and network ports are accessible from the system running EdbMails.
Key capabilities include:
- Supports Modern Authentication: Uses Microsoft Entra ID (Azure AD) modern authentication (OAuth 2.0) to establish secure connections with Microsoft 365.
- Connects to Required Microsoft 365 Services: Communicates with Exchange Online, Microsoft Graph, and Autodiscover services to discover mailboxes and perform migration tasks.
- Secure HTTPS Communication: Transfers migration data over encrypted HTTPS (TCP port 443) to help ensure secure communication with Microsoft 365 services.
- Automatic Mailbox Discovery: Uses Autodiscover to locate Exchange Online mailbox endpoints, reducing the need for manual configuration.
- Supports Large-Scale Migrations: Enables administrators to migrate multiple mailboxes while maintaining connectivity with Microsoft 365 services, subject to Microsoft's service limits and throttling policies.
- Detailed Migration Logging: Generates migration logs that help administrators identify authentication failures, connectivity issues, blocked endpoints, and other migration-related errors.
- Resumable Migration Jobs: Allows interrupted migration jobs to resume from the last successful state, minimizing the impact of temporary network interruptions.
- Pre-Migration Validation: Helps administrators verify mailbox connectivity and permissions before initiating a migration, reducing the likelihood of migration failures.
Note: EdbMails relies on Microsoft 365 services and required endpoints for authentication and mailbox access. If required, Microsoft 365 URLs or HTTPS traffic are blocked by a firewall, proxy server, or network security device, migration operations may fail until the necessary access is restored.
Conclusion
Microsoft 365 migrations rely on secure communication with several cloud services, including Exchange Online, Microsoft Graph, Microsoft Entra ID, and Autodiscover. Proper firewall, proxy, and network configuration is essential to maintain uninterrupted communication with these services.
Because Microsoft periodically updates its cloud infrastructure, administrators should verify the latest URLs before every migration. Allowing the required endpoints, validating network connectivity, and performing a pilot migration can significantly reduce the likelihood of authentication issues, connection failures, and migration interruptions.
Frequently Asked Questions
Why are Microsoft 365 URLs preferred over IP addresses?
Microsoft recommends allowing URLs and FQDNs because cloud service IP addresses can change as Microsoft updates its infrastructure. URL-based allow lists are easier to maintain and provide more reliable access.
Which port is required for Microsoft 365 migration?
Most Microsoft 365 migration traffic uses HTTPS over TCP port 443. This port should be permitted through firewalls and proxy servers.
What happens if Microsoft Graph endpoints are blocked?
Blocking Microsoft Graph endpoints can prevent authentication, API communication, permission validation, and other Microsoft 365 administrative operations required during migration.
Should SSL or TLS inspection be enabled for Microsoft 365 traffic?
SSL or TLS inspection can interfere with secure Microsoft 365 communications in some environments. Microsoft generally recommends excluding Microsoft 365 endpoints from inspection where organizational security policies allow.
How often should Microsoft 365 endpoints be reviewed?
Microsoft updates its endpoint lists regularly. Administrators should review the latest endpoint documentation before every migration project and periodically verify that firewall and proxy configurations remain current.

